Firewall Wizards mailing list archives

Re: Q on external router

From: Vinci Chou <vkmchou () hk super net>
Date: Thu, 23 Apr 1998 14:34:58 +0800 (HKT)

Bennett Todd wrote:

by
using one DMZ interface on the bastion, and a hub for the hosts in the
DMZ, and a trick: assign each DMZ host an address on a separate net
--- again perhaps using the RFC 1918 addresses and NAT in the bastion.
Give the bastion's DMZ interface, connected to the hub, addresss on all
the nets. Have the clients in the DMZ, each on their own separate net
(travelling over the same ether) all use the bastion for their default
router. Then let the bastion's ipfw or ipfilter or whatever provide
access restrictions among the DMZ hosts.


However, because these DMZ hosts are on the same phsical segment, even
they have different net numbers, a compromised host is still able to sniff
the traffic, isn't it ?


Vinci

Current thread:

Re: Q on external router, (continued)
- - - Re: Q on external router tqbf (Apr 24)
    - Re: Q on external router darrenr (Apr 24)
    - Re: Q on external router Roger Marquis (Apr 24)
    - Re: Q on external router tqbf (Apr 25)
    - Re: Q on external router Adam Shostack (Apr 26)
    - Re: switched DMZ (was Q on external router) Roel JT Jonkman (Apr 23)
- Re: Q on external router Bennett Todd (Apr 22)
- Re: Q on external router Adam Shostack (Apr 22)
- Re: Q on external router Randy Witlicki (Apr 23)
- Re: Q on external router Eric Vyncke (Apr 23)
- Re: Q on external router Vinci Chou (Apr 23)
  - Re: Q on external router Bennett Todd (Apr 23)
- Re: Q on external router Peter Jeremy (Apr 23)
- Re: Q on external router Rodney van den Oever (Apr 24)
  - Re: Q on external router tqbf (Apr 24)
- Re: Re: Q on external router Wei Li (Apr 24)
- Re: Q on external router Rodney van den Oever (Apr 24)