Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: Re: DMZ config question

Re: DMZ config question

From: Eric Vyncke <evyncke_at_cisco.com>
Date: Fri, 10 Apr 1998 19:04:22 +0200

Adam,

Thanks for your valuable comments, anyway:

1) switches are usually inside your network and mostly not
reachable from the outside (else you are in deep trouble anyway!).
And, attacks from your network can usually be traced and acted
upon (e.g. firing the hacker, ...)

2) IPsec is very nice and I'm very happy to use it to provide
confidentiality/integrity but it is not a silver bullet. IPsec
does not solve all problems :-(

It will be interesting how the switch industry will react on
the new threat from the inside. And I do fear that a lot
of them have unsecured configurations.

Which frighten me since Ethernet switch are commonly used to
segregate a single cabling system into separate LAN.

Wait and see

-eric

At 08:56 10/04/98 -0400, Adam Shostack wrote:
> I hate to spread FUD, but last summer at Black Hat Briefings,
>I asked a panel which included Mudge, route, Artimage, and a number of
>other smart hackers about the next big type of attack, now that buffer
>overflows and misconfigurations are commonplace.
>
> There were a couple of confident replies that switching
>technology only works until you subject it to malicious attack, and
>then all sorts of interesting things can be made to happen.
>
> This jibes with my experience, which is that technologies not
>designed for security don't provide security, and that technologies
>not designed to resist malicious attacks don't resist malicious
>attacks.
>
> So, if you choose to rely on a switch, ask your vendor for
>their test results from when they maliciously attacked it. Adjust
>your trust levels accordingly. And deploy IPsec.
>
>Adam
>
>
>Eric Vyncke wrote:
>| At 22:26 7/04/98 -0500, Chris Lonvick wrote:
>| >Hi,
>| >
>| >Some random thoughts:
>| >
>| >Use a switch - If any one system on the DMZ is compromised, then an
>| > attacker may be able to set up tcpdump (or similar) to capture
>| > usernames and passwords. With a switch, the attacker will only
>
>| And even be more paranoid, use a switch with static mapping
>| between MAC address and port. The physical port cannot be change
>| from a remote site while the MAC address could possibly be changed.
>
>--
>Just be thankful that Microsoft does not manufacture pharmaceuticals.
>
Eric Vyncke
Technical Consultant Cisco Systems Belgium SA/NV
Phone: +32-2-778.4677 Fax: +32-2-778.4300
E-mail: evyncke_at_cisco.com Mobile: +32-75-312.458
Received on Apr 10 1998

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos