At 22:26 7/04/98 -0500, Chris Lonvick wrote: >Hi, > >Some random thoughts: > >Use a switch - If any one system on the DMZ is compromised, then an > attacker may be able to set up tcpdump (or similar) to capture > usernames and passwords. With a switch, the attacker will only > be able to get passwords on the same system that he has already > compromised. He could get that from running crack. A hub will > allow the sniffer package to see all traffic. including the > traffic from your internal devices to the rest of the Internet. > You could use a router, but that gets much more expensive if you > have several DMZ devices. And even be more paranoid, use a switch with static mapping between MAC address and port. The physical port cannot be change from a remote site while the MAC address could possibly be changed. Then use static ARP table on *all* devices of the DMZ (including router and the firewall/proxy server). Then, not only sniffing is prevented but also local IP spoofing. ...<SCISSOR WAS THERE>... Just my paranoid 0,01 EUR -eric Eric Vyncke Technical Consultant Cisco Systems Belgium SA/NV Phone: +32-2-778.4677 Fax: +32-2-778.4300 E-mail: evynckeat_private Mobile: +32-75-312.458
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:54:07 PDT