Re: switched DMZ (was Q on external router)

[Roel JT Jonkman <rjonkman () ittc ukans edu>]

Adam Shostack wrote:

>       Do not rely on switches because switches are not designed for
> security.  This is not an argument that switches are, or are not
> buggy.  Others have already posted explanations of possible flaws.  I
> did not because I don't care about possible flaws in products while
> doing my first order reasoning.
>
>       If a switch happens to be buggy, you can find that
> information, and fix your switch.  But this is a losing battle,
> because there will always be new bugs.  You need to choose security
> components because they were designed for security, and hope like hell
> that this means that they have fewer bugs than products that were
> designed for other things.
>
>       I've used and removed switches from a DMZ, because the
> switches led to the following reasoning:
>
>       "If one of our (identical) web servers is broken into, we
> don't want people sniffing account numbers off the net, so we'll use
> switches."

That's a reasonable point compared to a hub/wire in which case sniffing is
totally trivial in case of a root compromise. At least a switch makes
sniffing anything informative substantially harder. (If not impossible,
see notes below.)

I guess that brings up the question if you should get a very simple 
unmanaged (say a 3com ssII 320 or so) switch, or a slightly more elaborate
version with management? The loss is that you lose some accounting
features if you go with the unmanaged switch, the gain is that you have 
considerable less concerns in terms of security. 

The problem with implementing a switched DMZ is that you need to 
disable broadcasts and arps on each and every one of the interfaces on your
DMZ. (Otherwise you might as well plug in a hub.) That inherently implies
that you need to hardcode arp tables. The net problem with that you can't
just bluntly take an arptable for the entire dmz, but you need to carefully
handcraft an arptable for each box (Otherwise a compromise on one box reveals
all mac addresses of the dmz.) 

>       So, others have posted bugs in the implementation of switches.
> I prefer to start by looking for bugs in the design of a system, and
> the thought that goes into the design.  Switches are usually a
> mistake, except when you deploy them for network performance reasons.

Hmm bugs in an unmanaged switch, mostly being hardware, though at least.
Considering the above a switch will at least increase security....., nothing
is nukeproof.

roel