Firewall Wizards mailing list archives

Re: Q on external router

From: Adam Shostack <adam () homeport org>
Date: Thu, 23 Apr 1998 03:25:14 -0400 (EDT)

Vinci Chou wrote:
| On Wed, 22 Apr 1998, Vinci Chou wrote:
| 
| > traffic on the DMZ.  However, it was also pointed out by somebody a switch
| > doesn't make a lot of difference.  So is it possible to do something like
| 
| After posting my question, I searched the archive at nfr.net and the
| argument by "Adam Shostack" against a switch in the DMZ was not that it
| cannot prevent sniffing but rather, it may not stand malicious attack.
| However, he did not quote any concrete evidence or example because these
| are relatively new.
| 
| I am wondering if any one can share his/her experience of using a switch
| in the DMZ.

        Allow me to clarify my argument.

        Do not rely on switches because switches are not designed for
security.  This is not an argument that switches are, or are not
buggy.  Others have already posted explanations of possible flaws.  I
did not because I don't care about possible flaws in products while
doing my first order reasoning.

        If a switch happens to be buggy, you can find that
information, and fix your switch.  But this is a losing battle,
because there will always be new bugs.  You need to choose security
components because they were designed for security, and hope like hell
that this means that they have fewer bugs than products that were
designed for other things.

        I've used and removed switches from a DMZ, because the
switches led to the following reasoning:

        "If one of our (identical) web servers is broken into, we
don't want people sniffing account numbers off the net, so we'll use
switches."

        It did not occur to them (but did occur to our tiger team :)
that its much easier to re-write the CGIs to log the information than
it is to pull it off the wire.  Fortunately, however, it was already
being sent to syslog, so we just needed to redirect that, and leave
the web server alone.

        So, others have posted bugs in the implementation of switches.
I prefer to start by looking for bugs in the design of a system, and
the thought that goes into the design.  Switches are usually a
mistake, except when you deploy them for network performance reasons.

Adam


-- 
Just be thankful that Microsoft does not manufacture pharmaceuticals.

Current thread:

Q on external router Vinci Chou (Apr 22)
- Re: Q on external router Vinci Chou (Apr 22)
  - Re: Q on external router Bennett Todd (Apr 22)
  - Re: Q on external router Bernhard Schneck (Apr 22)
    - Re: Q on external router Eric Vyncke (Apr 23)
    - Re: Q on external router tqbf (Apr 23)
    - Re: Q on external router Eric Vyncke (Apr 24)
    - Re: Q on external router tqbf (Apr 24)
    - RE: Q on external router Andrew J. Luca (Apr 24)
  - Re: Q on external router Adam Shostack (Apr 23)
    - Re: Q on external router Marcus J. Ranum (Apr 23)
    - Re: Q on external router tqbf (Apr 23)
    - Re: Q on external router Paul D. Robertson (Apr 24)
    - Re: Q on external router Eric Vyncke (Apr 24)
    - Re: Q on external router tqbf (Apr 24)
    - Re: Q on external router darrenr (Apr 24)
    - Re: Q on external router Roger Marquis (Apr 24)
    - Re: Q on external router tqbf (Apr 25)
    - Re: Q on external router Adam Shostack (Apr 26)
    - Re: switched DMZ (was Q on external router) Roel JT Jonkman (Apr 23)

(Thread continues...)