Firewall Wizards mailing list archives
Re: DMZ config question
From: Adam Shostack <adam () homeport org>
Date: Fri, 10 Apr 1998 08:56:59 -0400 (EDT)
I hate to spread FUD, but last summer at Black Hat Briefings, I asked a panel which included Mudge, route, Artimage, and a number of other smart hackers about the next big type of attack, now that buffer overflows and misconfigurations are commonplace. There were a couple of confident replies that switching technology only works until you subject it to malicious attack, and then all sorts of interesting things can be made to happen. This jibes with my experience, which is that technologies not designed for security don't provide security, and that technologies not designed to resist malicious attacks don't resist malicious attacks. So, if you choose to rely on a switch, ask your vendor for their test results from when they maliciously attacked it. Adjust your trust levels accordingly. And deploy IPsec. Adam Eric Vyncke wrote: | At 22:26 7/04/98 -0500, Chris Lonvick wrote: | >Hi, | > | >Some random thoughts: | > | >Use a switch - If any one system on the DMZ is compromised, then an | > attacker may be able to set up tcpdump (or similar) to capture | > usernames and passwords. With a switch, the attacker will only | And even be more paranoid, use a switch with static mapping | between MAC address and port. The physical port cannot be change | from a remote site while the MAC address could possibly be changed. -- Just be thankful that Microsoft does not manufacture pharmaceuticals.
Current thread:
- Re: DMZ config question Eric Vyncke (Apr 09)
- Re: DMZ config question Adam Shostack (Apr 10)
- Re: DMZ config question Eric Vyncke (Apr 10)
- Re: DMZ config question Adam Shostack (Apr 10)
- Re: DMZ config question Eric Vyncke (Apr 10)
- <Possible follow-ups>
- Re: DMZ config question Chris Lonvick (Apr 10)
- Re: DMZ config question Adam Shostack (Apr 10)