Re: DMZ config question

[Eric Vyncke <evyncke () cisco com>]

At 22:26 7/04/98 -0500, Chris Lonvick wrote:
> Hi,
>
> Some random thoughts:
>
> Use a switch - If any one system on the DMZ is compromised, then an
>  attacker may be able to set up tcpdump (or similar) to capture
>  usernames and passwords.  With a switch, the attacker will only
>  be able to get passwords on the same system that he has already
>  compromised.  He could get that from running crack.  A hub will 
>  allow the sniffer package to see all traffic. including the 
>  traffic from your internal devices to the rest of the Internet.
>  You could use a router, but that gets much more expensive if you 
>  have several DMZ devices.  

And even be more paranoid, use a switch with static mapping
between MAC address and port. The physical port cannot be change
from a remote site while the MAC address could possibly be changed.

Then use static ARP table on *all* devices of the DMZ (including router
and the firewall/proxy server). 

Then, not only sniffing is prevented but also local IP spoofing.

...<SCISSOR WAS THERE>...

Just my paranoid 0,01 EUR

-eric

Eric Vyncke      
Technical Consultant               Cisco Systems Belgium SA/NV
Phone:  +32-2-778.4677             Fax:    +32-2-778.4300
E-mail: evyncke () cisco com          Mobile: +32-75-312.458