Firewall Wizards mailing list archives
Re: Q on external router
From: Bennett Todd <bet () rahul net>
Date: Thu, 23 Apr 1998 04:01:52 -0700
1998-04-23-06:34:58 Vinci Chou:
However, because these DMZ hosts are on the same phsical segment, even they have different net numbers, a compromised host is still able to sniff the traffic, isn't it ?
That's exactly right. That's why I said, in my first note, ``only losing protection if a DMZ host is root-level compromised''. Now if you can't afford to have a multiport router, or N network interfaces on your bastion, then the cheaper solution that you're stuck with is a hub, and you lose root on a machine on a hub and all your traffic can be sniffed, always. But with the separate-nets-over-the-same-ether trick you can get some good additional protection _until_ one of the DMZ hosts gets root broken. Don't get root broken on machines in the DMZ, that's always sound advice. -Bennett
Current thread:
- Re: Q on external router, (continued)
- Re: Q on external router darrenr (Apr 24)
- Re: Q on external router Roger Marquis (Apr 24)
- Re: Q on external router tqbf (Apr 25)
- Re: Q on external router Adam Shostack (Apr 26)
- Re: switched DMZ (was Q on external router) Roel JT Jonkman (Apr 23)
- Re: Q on external router Bennett Todd (Apr 23)
- Re: Q on external router tqbf (Apr 24)