1998-04-23-06:34:58 Vinci Chou: > However, because these DMZ hosts are on the same phsical segment, even > they have different net numbers, a compromised host is still able to sniff > the traffic, isn't it ? That's exactly right. That's why I said, in my first note, ``only losing protection if a DMZ host is root-level compromised''. Now if you can't afford to have a multiport router, or N network interfaces on your bastion, then the cheaper solution that you're stuck with is a hub, and you lose root on a machine on a hub and all your traffic can be sniffed, always. But with the separate-nets-over-the-same-ether trick you can get some good additional protection _until_ one of the DMZ hosts gets root broken. Don't get root broken on machines in the DMZ, that's always sound advice. -Bennett
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:56:28 PDT