Firewall Wizards mailing list archives
Re: one switch for DMZ & internal?
From: Mikael Olsson <mikael.olsson () enternet se>
Date: Thu, 05 Oct 2000 16:17:41 +0200
Webmaster wrote:
To all, Can I /
Yes
should I/
NO!
what are the risks of using one Intel Express 460T switch that supports 802.1Q (tag) based VLAN's to be the switch for both my DMZ and internal network?
A switch has a CPU. The CPU runs software. Correct operation of the switch DEPENDS on that software being error-free. Switch software is NOT (as far as I know) reviewed for security. It is reviewed for performance. Don't think of switches as "hardware". Think of switches as "a computer designed for shuffling packets". Now, I _know_ that someone is bound to tell me "There are no known remote vulnerabilities in switch brand X, so what's the problem"? Well, I'll counter that one right now: "There are no known vulnerabilities in Windows NT with all the latest security patches applied. Tell me why I shouldn't connect an NT box with two interfaces to my DMZ ANY my internal network.". Think it doesn't apply? It does. We know that there will be more vulnerabilities in NT (or whatever operating system) because they're large, complex, not properly reviewed for security, and under constant scrutiny. If switches were under the same kind of scrutiny, we'd see a constant stream of vulnerability reports in them as well. (Although given, not as many as in standard operating systems.) Regards, Mikael Olsson -- Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK Phone: +46 (0)660 29 92 00 Direct: +46 (0)660 29 92 05 Mobile: +46 (0)70 66 77 636 Fax: +46 (0)660 122 50 WWW: http://www.enternet.se/ E-mail: mikael.olsson () enternet se _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- one switch for DMZ & internal? Webmaster (Oct 04)
- Re: one switch for DMZ & internal? Mikael Olsson (Oct 09)