Firewall Wizards mailing list archives
Re[4]: Shared DMZ liability
From: Steve.Bleazard () wdr com
Date: Wed, 26 Aug 1998 09:15:59 +0700
The VLAN approach is designed to CYA (cover your assets!) and is not intended as a security solution. In many organizations due diligence is more important. This is especially so in the Banking environment which is both regulated and subject to external audit on a yearly basis. Firewalls are often as much about politics as security. Steve ______________________________ Reply Separator _________________________________ Subject: Re: Re[2]: Shared DMZ liability Author: cschieke (cschieke () advsys com) at unix/o2=mime Date: 8/26/98 12:27 AM
However, all is not lost, a shared DMZ can be setup using VLAN technology which only allows specified hosts to communicate even though they are on the same IP segment and hub. The hub in fact performs access control based on the MAC address. Steve
I wouldn't reccomend to a client that they trust a HUB/switch/VLAN to enforce communication rules between hosts. Consider: 1. The switch has a flaw, where by these rules can be overridden. Something like you flood the ARP table in the switch, to expliot some type of buffer-overflow. 2. Others have un-intended access/control over the switch - see the bugtraq archives -- "undocumented" access methods to 3COM switches as proof. 3. A 3:00am after being called 'cause the powersupply gets blown and you need to quickly reconfigure the switch... but you goof. Human error. Bottom line here is that current "VLAMB" technology wasn't designed as a access control/security device. I believe that the "Sunscreen EFS" is the closest thing to this type of device that might work, but that would be real expensive on a per-port basis.
Current thread:
- Shared DMZ liability Allen Todd (Aug 19)
- Re: Shared DMZ liability Bennett Todd (Aug 19)
- Re: Shared DMZ liability David Collier-Brown (Aug 19)
- Re: Shared DMZ liability Frank Willoughby (Aug 19)
- Re: Shared DMZ liability Rick Smith (Aug 23)
- <Possible follow-ups>
- Re: Shared DMZ liability James Wilson (Aug 23)
- Re: Shared DMZ liability Frank Willoughby (Aug 23)
- Re[2]: Shared DMZ liability Steve . Bleazard (Aug 25)
- Re: Re[2]: Shared DMZ liability Chad Schieken (Aug 25)
- Re[4]: Shared DMZ liability Steve . Bleazard (Aug 26)