Re: Network cables as security devices

[Dominique Brezinski <dom_brezinski () securecomputing com>]

At 11:24 PM 9/27/98 +0200, Kevin Steves wrote:
> I've thought of doing this, and it may make sense in certain topologies,
> but I would be extremely wary about using this approach in a layered
> perimiter architecture, as it could permit an attacker to bypass chunks
> of the perimeter.  For example, if you have border<->gw0<->gw1<->choke
> in series, and they're all tied to a shared logging net, a compromise of
> border may be used to bypass gw0 and gw1 to get to choke.

Absolutely. No argument there. 

> It's not entirely clear if this is what you were proposing, but I wanted
> to point it out.  As always, the devil is in the details.

True true. No, separate logging networks for each isolated network is what
I intended. You make a very good point though.


Dominique Brezinski CISSP                   (612)628-5378
Secure Computing        http://www.securecomputing.com