Thomas, Do not misread me, I'm by no way saying that a `mostly dumb' ethernet switch can replace a firewall... I'm just saying that instead of using a hub for a DMZ, you can use another device that can increase your security. If it fails (buggy software, ...), you are back to square #1. But, it is at least an additional layer of security and I am willing to use as much as possible of security layers to protect my networks/hosts. And, even if my fellow software engineers won't agree with me, I agree with you: switch are not designed/developped with security as the first requirement. Nevertheless, their code is much shorter than a firewall/router, so, statistically they `should' have less security bugs. But, wait and see... -eric PS: I'm just discussing generic topics about switches and not only about my employeer's ones. At 15:15 23/04/98 -0500, tqbfat_private wrote: >> Thus, in my opinion (but have a look at my email address to see >> that I could be biased ;-) ), the switch can increase the DMZ security >> if: >> - it uses static mapping >> - as you put part of your security in the switch configuration, you >> must obviously secure your switch config (OTP, ACL, management via >> console only, ...) > >What about problems that fault the switch itself? We have seen bugs that >crash 3Com switches due to poor IP stack implementation; Cisco is aware of >bugs that affect their Catalyst platforms as well. What assurance do we >have that switches are implemented with the same attention to security as >firewalls? > >----------------------------------------------------------------------------- >Thomas H. Ptacek Secure Networks, Inc. >----------------------------------------------------------------------------- >http://www.enteract.com/~tqbf "If you're so special, why aren't you dead?" > Eric Vyncke Technical Consultant Cisco Systems Belgium SA/NV Phone: +32-2-778.4677 Fax: +32-2-778.4300 E-mail: evynckeat_private Mobile: +32-75-312.458
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:56:38 PDT