At 22:26 7/04/98 -0500, Chris Lonvick wrote:
>Hi,
>
>Some random thoughts:
>
>Use a switch - If any one system on the DMZ is compromised, then an
> attacker may be able to set up tcpdump (or similar) to capture
> usernames and passwords. With a switch, the attacker will only
> be able to get passwords on the same system that he has already
> compromised. He could get that from running crack. A hub will
> allow the sniffer package to see all traffic. including the
> traffic from your internal devices to the rest of the Internet.
> You could use a router, but that gets much more expensive if you
> have several DMZ devices.
And even be more paranoid, use a switch with static mapping
between MAC address and port. The physical port cannot be change
from a remote site while the MAC address could possibly be changed.
Then use static ARP table on *all* devices of the DMZ (including router
and the firewall/proxy server).
Then, not only sniffing is prevented but also local IP spoofing.
...<SCISSOR WAS THERE>...
Just my paranoid 0,01 EUR
-eric
Eric Vyncke
Technical Consultant Cisco Systems Belgium SA/NV
Phone: +32-2-778.4677 Fax: +32-2-778.4300
E-mail: evyncke @
cisco .
com Mobile: +32-75-312.458
Follow-Ups:
References:
|
|
