Re: one switch for DMZ & internal?

[Mikael Olsson <mikael.olsson () enternet se>]

Webmaster wrote:
> To all,
> Can I /

Yes

> should I/

NO!

> what are the risks of using one Intel Express 460T switch
> that supports 802.1Q (tag) based VLAN's to be the switch for 
> both my DMZ and internal network?

A switch has a CPU. The CPU runs software. Correct operation
of the switch DEPENDS on that software being error-free.
Switch software is NOT (as far as I know) reviewed for 
security. It is reviewed for performance.

Don't think of switches as "hardware". Think of switches
as "a computer designed for shuffling packets".


Now, I _know_ that someone is bound to tell me
"There are no known remote vulnerabilities in switch 
brand X, so what's the problem"?

Well, I'll counter that one right now:
"There are no known vulnerabilities in Windows NT with
all the latest security patches applied. Tell me why
I shouldn't connect an NT box with two interfaces
to my DMZ ANY my internal network.".

Think it doesn't apply? It does. We know that there will
be more vulnerabilities in NT (or whatever operating
system) because they're large, complex, not properly
reviewed for security, and under constant scrutiny. 

If switches were under the same kind of scrutiny, we'd
see a constant stream of vulnerability reports in them
as well. (Although given, not as many as in standard
operating systems.)

Regards,
Mikael Olsson

-- 
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK
Phone: +46 (0)660 29 92 00         Direct: +46 (0)660 29 92 05
Mobile: +46 (0)70 66 77 636        Fax: +46 (0)660 122 50
WWW: http://www.enternet.se/       E-mail: mikael.olsson () enternet se

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards