In message <199408312320 .
QAA26639 @
mycroft .
GreatCircle .
COM>,
smb @
research .
att .
com writes:
> We thought that connecting each bastion host to the perimeter
> network via a bridge would limit the traffic that could be
> sniffed to just the traffic exchanged by the bastion host.
> For example, if an intruder captured the anonymous ftp bastion
> host and installed a sniffer, the intruder would not be able
> to capture any SMTP traffic (which is handled by a different
> bastion host). We believe the bridges to be sufficient for
> this purpose and do not understand how adding an additional
> router on the perimeter network would achieve the same
> affect.
>
>Such bridges are a good idea. Another possibility is to use a ``smart''
>10BaseT hub.
Riding on smb's coat tails, I agree. The real question is what you
want to do with the "bridges". If you are looking for some extra
filtering/logging to add suspenders to the bastion belts, then a
filtering bridge (e.g. Karl Bridge) will do the trick. If on the other
hand you are simply worried about sniffing attacks, the intelligent
10bT hubs are a better (dummer, less easily attacked) bet. It again
depends on what you are defending against.
Depending on the client I have used both, however I do make sure that
I have some way of disabling the hub remotely just in case I need to
chop the internet connection due to anomalies on the interior nets.
-- John
John Rouillard
Senior Systems Administrator IDD Information Services
rouilj @
dstar .
iddis .
com Waltham, MA (617) 890-1576 x225
Senior Systems Consultant (SERL Project) University of Massachusetts at Boston
rouilj @
cs .
umb .
edu (preferred) Boston, MA, (617) 287-6480
===============================================================================
My employers don't acknowledge my existence much less my opinions.
References:
|
|
