Re: Q on external router

From: Adam Shostack (adamat_private)
Date: Thu Apr 23 1998 - 00:25:14 PDT

Next message: Eric Vyncke: "Re: Q on external router"

Previous message: Eric Vyncke: "Re: Q on external router"
Maybe in reply to: Vinci Chou: "Q on external router"
Next in thread: Eric Vyncke: "Re: Q on external router"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Vinci Chou wrote:
| On Wed, 22 Apr 1998, Vinci Chou wrote:
| 
| > traffic on the DMZ.  However, it was also pointed out by somebody a switch
| > doesn't make a lot of difference.  So is it possible to do something like
| 
| After posting my question, I searched the archive at nfr.net and the
| argument by "Adam Shostack" against a switch in the DMZ was not that it
| cannot prevent sniffing but rather, it may not stand malicious attack.
| However, he did not quote any concrete evidence or example because these
| are relatively new.
| 
| I am wondering if any one can share his/her experience of using a switch
| in the DMZ.

	Allow me to clarify my argument.

	Do not rely on switches because switches are not designed for
security.  This is not an argument that switches are, or are not
buggy.  Others have already posted explanations of possible flaws.  I
did not because I don't care about possible flaws in products while
doing my first order reasoning.

	If a switch happens to be buggy, you can find that
information, and fix your switch.  But this is a losing battle,
because there will always be new bugs.  You need to choose security
components because they were designed for security, and hope like hell
that this means that they have fewer bugs than products that were
designed for other things.

	I've used and removed switches from a DMZ, because the
switches led to the following reasoning:

	"If one of our (identical) web servers is broken into, we
don't want people sniffing account numbers off the net, so we'll use
switches."

	It did not occur to them (but did occur to our tiger team :)
that its much easier to re-write the CGIs to log the information than
it is to pull it off the wire.  Fortunately, however, it was already
being sent to syslog, so we just needed to redirect that, and leave
the web server alone.

	So, others have posted bugs in the implementation of switches.
I prefer to start by looking for bugs in the design of a system, and
the thought that goes into the design.  Switches are usually a
mistake, except when you deploy them for network performance reasons.

Adam


-- 
Just be thankful that Microsoft does not manufacture pharmaceuticals.

Next message: Eric Vyncke: "Re: Q on external router"
Previous message: Eric Vyncke: "Re: Q on external router"
Maybe in reply to: Vinci Chou: "Q on external router"
Next in thread: Eric Vyncke: "Re: Q on external router"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:56:32 PDT