Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Router filtering not enough! (Was: Re: CERT advisory )

From: smb () research att com (smb () research att com)
Date: Fri, 27 Jan 95 08:55:01 EST

                we have lost some context here, the original idea included a 
         router between the internal and external (the Net).  this router drops
         all packet from the Net that purport to come from the internal ip 
         address(es).  

Dunno about you, but my organization, where all of the machines are under
common administrative control -- and hence are candidates for hosts.equiv
status -- includes 130 people with their own workstations, at least six
server-class machines, and 6 Ethernets, and is spread over two locations
connected by part of a corporate LAN.  Even just the New Jersey portion
includes 107 people, 5 Ethernets, and 2 routers.

Trust boundaries are administrative concepts, not physical ones.  We
need the flexibility to split a LAN based on load, without worrying if
that will suddenly render useless either our security mechanisms or our
ability to work together efficiently.

If, in your environment, you have additional information you can take
advantage of to increase your security, by all means do so.  But the
net as a whole needs a more general solution.
Previous By Date Next
Previous By Thread Next

Current thread: