Firewall Wizards mailing list archives
Re: Q on external router
From: Eric Vyncke <evyncke () cisco com>
Date: Thu, 23 Apr 1998 22:32:09 +0200
Thomas, Do not misread me, I'm by no way saying that a `mostly dumb' ethernet switch can replace a firewall... I'm just saying that instead of using a hub for a DMZ, you can use another device that can increase your security. If it fails (buggy software, ...), you are back to square #1. But, it is at least an additional layer of security and I am willing to use as much as possible of security layers to protect my networks/hosts. And, even if my fellow software engineers won't agree with me, I agree with you: switch are not designed/developped with security as the first requirement. Nevertheless, their code is much shorter than a firewall/router, so, statistically they `should' have less security bugs. But, wait and see... -eric PS: I'm just discussing generic topics about switches and not only about my employeer's ones. At 15:15 23/04/98 -0500, tqbf () secnet com wrote:
Thus, in my opinion (but have a look at my email address to see that I could be biased ;-) ), the switch can increase the DMZ security if: - it uses static mapping - as you put part of your security in the switch configuration, you must obviously secure your switch config (OTP, ACL, management via console only, ...)What about problems that fault the switch itself? We have seen bugs that crash 3Com switches due to poor IP stack implementation; Cisco is aware of bugs that affect their Catalyst platforms as well. What assurance do we have that switches are implemented with the same attention to security as firewalls? ----------------------------------------------------------------------------- Thomas H. Ptacek Secure Networks, Inc. ----------------------------------------------------------------------------- http://www.enteract.com/~tqbf "If you're so special, why aren't you dead?"
Eric Vyncke Technical Consultant Cisco Systems Belgium SA/NV Phone: +32-2-778.4677 Fax: +32-2-778.4300 E-mail: evyncke () cisco com Mobile: +32-75-312.458
Current thread:
- Q on external router Vinci Chou (Apr 22)
- Re: Q on external router Vinci Chou (Apr 22)
- Re: Q on external router Bennett Todd (Apr 22)
- Re: Q on external router Bernhard Schneck (Apr 22)
- Re: Q on external router Eric Vyncke (Apr 23)
- Re: Q on external router tqbf (Apr 23)
- Re: Q on external router Eric Vyncke (Apr 24)
- Re: Q on external router tqbf (Apr 24)
- Re: Q on external router Vinci Chou (Apr 22)
- RE: Q on external router Andrew J. Luca (Apr 24)
- Re: Q on external router Marcus J. Ranum (Apr 23)
- Re: Q on external router tqbf (Apr 23)
- Re: Q on external router Paul D. Robertson (Apr 24)
- Re: Q on external router Eric Vyncke (Apr 24)
- Re: Q on external router tqbf (Apr 24)