eric's paranoia induced:
> And even be more paranoid, use a switch with static mapping
> between MAC address and port. The physical port cannot be change
> from a remote site while the MAC address could possibly be changed.
> Then use static ARP table on *all* devices of the DMZ (including router
> and the firewall/proxy server).
> Then, not only sniffing is prevented but also local IP spoofing.
> ...<SCISSOR WAS THERE>...
> Just my paranoid 0,01 EUR
> Eric Vyncke
> Technical Consultant Cisco Systems Belgium SA/NV
> Phone: +32-2-778.4677 Fax: +32-2-778.4300
> E-mail: evyncke @
com Mobile: +32-75-312.458
and, of course, be very, very careful about protecting the switch
WRT login access--they compromise that, and you're toast....
W.C. Epperson "I have great faith in fools.
Chief, Systems Engineering Self-confidence, my friends call it."
Information Security Officer --Edgar Allan Poe--
Virginia Dept. of Education