Firewall Wizards mailing list archives

Re: Q on external router

From: Bennett Todd <bet () rahul net>
Date: Thu, 23 Apr 1998 04:01:52 -0700

1998-04-23-06:34:58 Vinci Chou:

However, because these DMZ hosts are on the same phsical segment, even
they have different net numbers, a compromised host is still able to sniff
the traffic, isn't it ?


That's exactly right. That's why I said, in my first note, ``only losing
protection if a DMZ host is root-level compromised''.

Now if you can't afford to have a multiport router, or N network
interfaces on your bastion, then the cheaper solution that
you're stuck with is a hub, and you lose root on a machine on a
hub and all your traffic can be sniffed, always. But with the
separate-nets-over-the-same-ether trick you can get some good
additional protection _until_ one of the DMZ hosts gets root
broken. Don't get root broken on machines in the DMZ, that's always
sound advice.

-Bennett

Current thread:

Re: Q on external router, (continued)
- - - Re: Q on external router darrenr (Apr 24)
    - Re: Q on external router Roger Marquis (Apr 24)
    - Re: Q on external router tqbf (Apr 25)
    - Re: Q on external router Adam Shostack (Apr 26)
    - Re: switched DMZ (was Q on external router) Roel JT Jonkman (Apr 23)
- Re: Q on external router Bennett Todd (Apr 22)
- Re: Q on external router Adam Shostack (Apr 22)
- Re: Q on external router Randy Witlicki (Apr 23)
- Re: Q on external router Eric Vyncke (Apr 23)
- Re: Q on external router Vinci Chou (Apr 23)
  - Re: Q on external router Bennett Todd (Apr 23)
- Re: Q on external router Peter Jeremy (Apr 23)
- Re: Q on external router Rodney van den Oever (Apr 24)
  - Re: Q on external router tqbf (Apr 24)
- Re: Re: Q on external router Wei Li (Apr 24)
- Re: Q on external router Rodney van den Oever (Apr 24)