> Do not misread me, I'm by no way saying that a `mostly dumb' > ethernet switch can replace a firewall... I'm just saying that > instead of using a hub for a DMZ, you can use another device > that can increase your security. Don't get me wrong, I'm not saying "don't deploy switches". On the contrary, it is becoming apparent that deployment of switched Ethernet is pretty much mandatory in production networks, for performance reasons. What I am saying is that it is foolish to deploy switches in a manner that forces your network to rely on them for security. When designing a secure system, you should work from the assumption that attackers will be able to sniff through switched Ethernet. ----------------------------------------------------------------------------- Thomas H. Ptacek Secure Networks, Inc. ----------------------------------------------------------------------------- http://www.enteract.com/~tqbf "If you're so special, why aren't you dead?"
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:56:37 PDT