Firewall Wizards mailing list archives

Re: Q on external router

From: Eric Vyncke <evyncke () cisco com>
Date: Thu, 23 Apr 1998 22:32:09 +0200

Thomas,

Do not misread me, I'm by no way saying that a `mostly dumb'
ethernet switch can replace a firewall... I'm just saying that
instead of using a hub for a DMZ, you can use another device
that can increase your security.

If it fails (buggy software, ...), you are back to square #1.
But, it is at least an additional layer of security and I
am willing to use as much as possible of security layers to
protect my networks/hosts.

And, even if my fellow software engineers won't agree with me,
I agree with you: switch are not designed/developped with security
as the first requirement. Nevertheless, their code is much
shorter than a firewall/router, so, statistically they `should'
have less security bugs. But, wait and see...

-eric

PS: I'm just discussing generic topics about switches and not
only about my employeer's ones.

At 15:15 23/04/98 -0500, tqbf () secnet com wrote:

Thus, in my opinion (but have a look at my email address to see
that I could be biased ;-) ), the switch can increase the DMZ security
if:
- it uses static mapping
- as you put part of your security in the switch configuration, you
  must obviously secure your switch config (OTP, ACL, management via
  console only, ...)


What about problems that fault the switch itself? We have seen bugs that
crash 3Com switches due to poor IP stack implementation; Cisco is aware of
bugs that affect their Catalyst platforms as well. What assurance do we
have that switches are implemented with the same attention to security as
firewalls? 

-----------------------------------------------------------------------------
Thomas H. Ptacek                                       Secure Networks, Inc.
-----------------------------------------------------------------------------
http://www.enteract.com/~tqbf  "If you're so special, why aren't you dead?"

Eric Vyncke      
Technical Consultant               Cisco Systems Belgium SA/NV
Phone:  +32-2-778.4677             Fax:    +32-2-778.4300
E-mail: evyncke () cisco com          Mobile: +32-75-312.458

Current thread:

Q on external router Vinci Chou (Apr 22)
- Re: Q on external router Vinci Chou (Apr 22)
  - Re: Q on external router Bennett Todd (Apr 22)
  - Re: Q on external router Bernhard Schneck (Apr 22)
    - Re: Q on external router Eric Vyncke (Apr 23)
    - Re: Q on external router tqbf (Apr 23)
    - Re: Q on external router Eric Vyncke (Apr 24)
    - Re: Q on external router tqbf (Apr 24)
    - RE: Q on external router Andrew J. Luca (Apr 24)
  - Re: Q on external router Adam Shostack (Apr 23)
    - Re: Q on external router Marcus J. Ranum (Apr 23)
    - Re: Q on external router tqbf (Apr 23)
    - Re: Q on external router Paul D. Robertson (Apr 24)
    - Re: Q on external router Eric Vyncke (Apr 24)
    - Re: Q on external router tqbf (Apr 24)
    - Re: Q on external router darrenr (Apr 24)
    - Re: Q on external router Roger Marquis (Apr 24)

(Thread continues...)