|
Firewall Wizards
mailing list archives
Re: DMZ config question
From: Eric Vyncke <evyncke () cisco com>
Date: Thu, 09 Apr 1998 14:45:45 +0200
At 22:26 7/04/98 -0500, Chris Lonvick wrote:
Hi,
Some random thoughts:
Use a switch - If any one system on the DMZ is compromised, then an
attacker may be able to set up tcpdump (or similar) to capture
usernames and passwords. With a switch, the attacker will only
be able to get passwords on the same system that he has already
compromised. He could get that from running crack. A hub will
allow the sniffer package to see all traffic. including the
traffic from your internal devices to the rest of the Internet.
You could use a router, but that gets much more expensive if you
have several DMZ devices.
And even be more paranoid, use a switch with static mapping
between MAC address and port. The physical port cannot be change
from a remote site while the MAC address could possibly be changed.
Then use static ARP table on *all* devices of the DMZ (including router
and the firewall/proxy server).
Then, not only sniffing is prevented but also local IP spoofing.
...<SCISSOR WAS THERE>...
Just my paranoid 0,01 EUR
-eric
Eric Vyncke
Technical Consultant Cisco Systems Belgium SA/NV
Phone: +32-2-778.4677 Fax: +32-2-778.4300
E-mail: evyncke () cisco com Mobile: +32-75-312.458
 By Date 
By Thread
Current thread:
- Re: DMZ config question Eric Vyncke (Apr 09)
| 
Intro
