Firewall Wizards mailing list archives
Re: Re[2]: Shared DMZ liability
From: cschieke () advsys com (Chad Schieken)
Date: Tue, 25 Aug 1998 13:27:48 -0400 (EDT)
However, all is not lost, a shared DMZ can be setup using VLAN
technology which only allows specified hosts to communicate even
though they are on the same IP segment and hub. The hub in fact
performs access control based on the MAC address.
Steve
I wouldn't reccomend to a client that they trust a HUB/switch/VLAN to
enforce communication rules between hosts. Consider:
1. The switch has a flaw, where by these rules can be overridden.
Something like you flood the ARP table in the switch, to expliot
some type of buffer-overflow.
2. Others have un-intended access/control over the switch - see the
bugtraq archives -- "undocumented" access methods to 3COM switches as proof.
3. A 3:00am after being called 'cause the powersupply gets blown and
you need to quickly reconfigure the switch... but you goof. Human
error.
Bottom line here is that current "VLAMB" technology wasn't designed as
a access control/security device. I believe that the "Sunscreen EFS" is
the closest thing to this type of device that might work, but that would be
real expensive on a per-port basis.
Current thread:
- Shared DMZ liability Allen Todd (Aug 19)
- Re: Shared DMZ liability Bennett Todd (Aug 19)
- Re: Shared DMZ liability David Collier-Brown (Aug 19)
- Re: Shared DMZ liability Frank Willoughby (Aug 19)
- Re: Shared DMZ liability Rick Smith (Aug 23)
- <Possible follow-ups>
- Re: Shared DMZ liability James Wilson (Aug 23)
- Re: Shared DMZ liability Frank Willoughby (Aug 23)
- Re[2]: Shared DMZ liability Steve . Bleazard (Aug 25)
- Re: Re[2]: Shared DMZ liability Chad Schieken (Aug 25)
- Re[4]: Shared DMZ liability Steve . Bleazard (Aug 26)