Re[4]: Shared DMZ liability

[Steve.Bleazard () wdr com]

     The VLAN approach is designed to CYA (cover your assets!) and is not 
     intended as a security solution.  In many organizations due diligence 
     is more important.  This is especially so in the Banking environment 
     which is both regulated and subject to external audit on a yearly 
     basis.  Firewalls are often as much about politics as security.
     
     Steve


______________________________ Reply Separator _________________________________
Subject: Re: Re[2]: Shared DMZ liability
Author:  cschieke (cschieke () advsys com) at unix/o2=mime
Date:    8/26/98 12:27 AM


>      
>      However, all is not lost, a shared DMZ can be setup using VLAN 
>      technology which only allows specified hosts to communicate even 
>      though they are on the same IP segment and hub.  The hub in fact 
>      performs access control based on the MAC address.
>      
>      Steve

        I wouldn't reccomend to a client that they trust a HUB/switch/VLAN to
        enforce communication rules between hosts. Consider:

        1. The switch has a flaw, where by these rules can be overridden.
                        Something like you flood the ARP table in the switch, to
expliot
                        some type of buffer-overflow.
                
        2.      Others have un-intended access/control over the switch - see the
        bugtraq archives -- "undocumented" access methods to 3COM switches as 
proof.

        3. A 3:00am after being called 'cause the powersupply gets blown and
        you need to quickly reconfigure the switch... but you goof. Human
        error. 
        

Bottom line here is that current "VLAMB" technology wasn't designed as
a access control/security device. I believe that the "Sunscreen EFS" is
the closest thing to this type of device that might work, but that would be 
real expensive on a per-port basis.