Great Circle Associates Firewalls
(April 1998)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: DMZ config question
From: Eric Vyncke <evyncke @ cisco . com>
Date: Thu, 09 Apr 1998 14:45:45 +0200
To: Chris Lonvick <clonvick @ cisco . com>, "Dean Ethier"<Dean_Ethier @ dmr . ca>, firewalls @ GreatCircle . COM, firewall-wizards @ nfr . net
In-reply-to: <3 . 0 . 32 . 19980407222630 . 0070c368 @ localhost>

At 22:26 7/04/98 -0500, Chris Lonvick wrote:
>Hi,
>
>Some random thoughts:
>
>Use a switch - If any one system on the DMZ is compromised, then an
>  attacker may be able to set up tcpdump (or similar) to capture
>  usernames and passwords.  With a switch, the attacker will only
>  be able to get passwords on the same system that he has already
>  compromised.  He could get that from running crack.  A hub will 
>  allow the sniffer package to see all traffic. including the 
>  traffic from your internal devices to the rest of the Internet.
>  You could use a router, but that gets much more expensive if you 
>  have several DMZ devices.  

And even be more paranoid, use a switch with static mapping
between MAC address and port. The physical port cannot be change
from a remote site while the MAC address could possibly be changed.

Then use static ARP table on *all* devices of the DMZ (including router
and the firewall/proxy server). 

Then, not only sniffing is prevented but also local IP spoofing.

...<SCISSOR WAS THERE>...

Just my paranoid 0,01 EUR

-eric

Eric Vyncke      
Technical Consultant               Cisco Systems Belgium SA/NV
Phone:  +32-2-778.4677             Fax:    +32-2-778.4300
E-mail: evyncke @
 cisco .
 com          Mobile: +32-75-312.458


Follow-Ups:
References:
Indexed By Date Previous: Audit of multiple roots
From: Mlynka Richard <mlynka @ ditec . sk>
Next: Re: Ascend Pipline 25
From: fan wangcheng <fanwc @ mail . shini . net . cn>
Indexed By Thread Previous: Re: DMZ config question
From: Chris Lonvick <clonvick @ cisco . com>
Next: Re: DMZ config question
From: "W.C. (Jay) Epperson" <epperson @ vak12ed . edu>

Google
 
Search Internet Search www.greatcircle.com