Firewalls: Re: DMZ config question

Firewalls
(April 1998)

Indexed By Thread: [Previous] [Next]

Subject:	Re: DMZ config question
From:	"W.C. (Jay) Epperson" <epperson @ vak12ed . edu>
Date:	Thu, 09 Apr 1998 15:59:08 EDT
To:	evyncke @ cisco . com
Cc:	firewalls @ greatcircle . com
In-reply-to:	<3 . 0 . 5 . 32 . 19980409144545 . 00815330 @ brussels . cisco . com>; from "Eric Vyncke" at Apr 09, 98 2:45 pm
Reply-to:	epperson @ vak12ed . edu

eric's paranoia induced:
> 
> And even be more paranoid, use a switch with static mapping
> between MAC address and port. The physical port cannot be change
> from a remote site while the MAC address could possibly be changed.
> 
> Then use static ARP table on *all* devices of the DMZ (including router
> and the firewall/proxy server). 
> 
> Then, not only sniffing is prevented but also local IP spoofing.
> 
> ...<SCISSOR WAS THERE>...
> 
> Just my paranoid 0,01 EUR
> 
> -eric
> 
> Eric Vyncke      
> Technical Consultant               Cisco Systems Belgium SA/NV
> Phone:  +32-2-778.4677             Fax:    +32-2-778.4300
> E-mail: evyncke @
 cisco .
 com          Mobile: +32-75-312.458

and, of course, be very, very careful about protecting the switch
WRT login access--they compromise that, and you're toast....
--
W.C. Epperson			"I have great faith in fools. 
Chief, Systems Engineering       Self-confidence, my friends call it."
Information Security Officer             --Edgar Allan Poe--
DBA Emeritus
Curmudgeon-for-Life
Virginia Dept. of Education	        
epperson @
 pen .
 k12 .
 va .
 us

References:

Re: DMZ config question
From: Eric Vyncke <evyncke @ cisco . com>

Indexed By Date	Previous:	ICMP, traceroute and FW-1 From: Bill Burns <shadow @ netscape . com>
Indexed By Date	Next:	Re: fw-1 stateful inspection vulnerabilities From: Bill Coutinho <bill @ dextra . com . br>
Indexed By Thread	Previous:	Re: DMZ config question From: Eric Vyncke <evyncke @ cisco . com>
Indexed By Thread	Next:	Re: DMZ config question From: "Pipeline" <pipeline @ walrus . com>