Firewall Wizards mailing list archives

RE: DMZ - the physical layer

From: aturner () vicinity com
Date: Wed, 22 Mar 2000 15:35:08 -0800 (PST)

On 16 Mar, Ben Nagy wrote:

-----Original Message-----
From: John White [mailto:johnjohn () triceratops com]
Sent: Wednesday, 8 March 2000 1:02 PM
To: firewall-wizards () nfr net
Subject: [fw-wiz] DMZ - the physical layer

I was looking through the archives of the greatcircle
firewall list and came across some opinions regarding
the construction of DMZ's.

I'm using Baystack 450's as my backbone switches.
Bay 450's have a virtual lan function which can
be used to limit a collision domain to specific
ports.  I was planning on using this function to
create the DMZ.


Nooo....


Bay's are especially bad choice as (at least historically)  a Bay will
ignore the VLAN boundry if I know the MAC address of the target.  Many a
Sun admins have gone insane with Bay switches because Sun has/had the
nasty habbit of assigning the same MAC for all the ethernet interfaces
on the same box by default.

Cisco is better about this, but air-gap is preferred if you can afford
it.
 

-- 
Aaron Turner        aturner () vicinity com  650.237.0300 x252
Security Engineer                         Vicinity Corp.        
Cell: 408-314-9874                        http://www.vicinity.com

Current thread:

DMZ - the physical layer John White (Mar 12)
- Re: DMZ - the physical layer Aaron D. Turner (Mar 17)
  - Re: DMZ - the physical layer Bennett Todd (Mar 21)
- Re: DMZ - the physical layer Doug Fajardo (Mar 21)
- <Possible follow-ups>
- RE: DMZ - the physical layer fernando_montenegro (Mar 17)
- RE: DMZ - the physical layer Ben Nagy (Mar 21)
  - RE: DMZ - the physical layer aturner (Mar 23)
- RE: DMZ - the physical layer Carl Friedberg (Mar 21)