[mschuster91]

Because any random machine in the same datacenter and network segment might be compromised and do stuff like running ARP spoofing attacks. Cisco alone has had so many vendor-provided backdoors cropping up that I wouldn't trust anything in a data center with Cisco gear.

[qingcharles]

Back in the 90s I discovered the CTO of a major telecoms company was packet sniffing EFnet traffic in one of their datacenters in order to log all the PRIVMSGs to extort a couple of people. Security is only as good as its weakest leak, and all that.

[subscribed]

Ummm, no, The network is completely isolated. No one enters the cage and just plugs something into my switches/routers.

Any communication between the cage and the outside world is through the cross-connects.

Unless it's some state-adversary, no one taps us like this. This is not a shared hosting. No one runs serious workloads like this.

"Unserious"? Sure, everything is encrypted p2p.

[mschuster91]

> No one enters the cage and just plugs something into my switches/routers.

I'm not talking about someone plugging something in. I'm talking about someone pwning your VPN endpoint or firewall, and laterally moving from there. There's always a way to move around unless you are really, really careful (and even that is not enough if the adversary has an exploit for something really deep in the network stack).

At the very least, choose different vendors for your VPN/frontend firewall gear and the rest of your system. That way, an adversary can't just go and pwn every little piece of your network infrastructure with a single exploit.

[subscribed]

This is a very fair point, admittedly, considering multiple vulnerabilities in Juniper and Cisco devices.

I concede my point, thanks for that