Firewall Wizards mailing list archives
Re: DMZ config question
From: Eric Vyncke <evyncke () cisco com>
Date: Thu, 09 Apr 1998 14:45:45 +0200
At 22:26 7/04/98 -0500, Chris Lonvick wrote:
Hi, Some random thoughts: Use a switch - If any one system on the DMZ is compromised, then an attacker may be able to set up tcpdump (or similar) to capture usernames and passwords. With a switch, the attacker will only be able to get passwords on the same system that he has already compromised. He could get that from running crack. A hub will allow the sniffer package to see all traffic. including the traffic from your internal devices to the rest of the Internet. You could use a router, but that gets much more expensive if you have several DMZ devices.
And even be more paranoid, use a switch with static mapping between MAC address and port. The physical port cannot be change from a remote site while the MAC address could possibly be changed. Then use static ARP table on *all* devices of the DMZ (including router and the firewall/proxy server). Then, not only sniffing is prevented but also local IP spoofing. ...<SCISSOR WAS THERE>... Just my paranoid 0,01 EUR -eric Eric Vyncke Technical Consultant Cisco Systems Belgium SA/NV Phone: +32-2-778.4677 Fax: +32-2-778.4300 E-mail: evyncke () cisco com Mobile: +32-75-312.458
Current thread:
- Re: DMZ config question Eric Vyncke (Apr 09)
- Re: DMZ config question Adam Shostack (Apr 10)
- Re: DMZ config question Eric Vyncke (Apr 10)
- Re: DMZ config question Adam Shostack (Apr 10)
- Re: DMZ config question Eric Vyncke (Apr 10)
- <Possible follow-ups>
- Re: DMZ config question Chris Lonvick (Apr 10)
- Re: DMZ config question Adam Shostack (Apr 10)