From owner-freebsd-security Sun Aug 22 0:15:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id B7D2E14D62 for ; Sun, 22 Aug 1999 00:15:39 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id AAA76633; Sun, 22 Aug 1999 00:13:25 -0700 (PDT) (envelope-from dillon) Date: Sun, 22 Aug 1999 00:13:25 -0700 (PDT) From: Matthew Dillon Message-Id: <199908220713.AAA76633@apollo.backplane.com> To: "Rodney W. Grimes" Cc: cdillon@wolves.k12.mo.us (Chris Dillon), wes@softweyr.com (Wes Peters), cliff@steam.com (Cliff Skolnick), service_account@yahoo.com (jay d), yurtesen@ispro.net.tr (Evren Yurtesen), freebsd-security@FreeBSD.ORG Subject: Re: multiple machines in the same network References: <199908220649.XAA31700@gndrsh.dnsmgr.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :> I noticed the only "L3 support" from the spec sheets of the 4000M and :> 8000M is IGMP snooping to control multicast traffic, and "protocol :> filtering" only on the 8000M. Nothing close to IP routing, however :... :> with only a 3.8Gbit backplane, unless local switching occurs on each :> of the port modules, and even then the "throughput test" would have to :... : :... :4Gbit/sec of backplane to do this. Thats 4G bytes of data in, 4G :accross the backplane, and 4G back out of the box. : :... :As you can see the Fabric only has to handle 40 x 100Mb/s to :keep all 40 ports busy at full duplex. : :The 3.8 Gb/s spec comes up a little short, but only buy 2 ports... :and it had better be darned efficent as far as overhead goes... :-- :Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net One thing I've learned about switches: By the time you actually use up the backplane bandwidth of a cheapish switch you are already spending so much money on the hardware connected to the thing that the cost of upgrading the switch itself is in the noise. The second thing I've learned: Unless your needs are highly specialized, you aren't going to even come close to the potential aggregate bandwidth of N ports. At BEST we had several catalysts - 150+ ports on each one, for customer colo and for all of our web servers & shell machines. I don't think any of those babies ever used more then 500 MBits of aggregate bandwidth across the fabric. In regards to all the discussions about security and so forth... well, all I can say to that is that it's easy for one to get worked up into a frenzy over network security. You have much less stress when you simply assume that the network is always compromised. Then you can concentrate your time securing the machines and using only encrypted network links, which is what you should have been doing in the first place. Any hacker who can bypass a simple switch also has a fairly good chance of working around a more sophisticated one, even if you nail the MAC addresses down and take every precaution you can think of. To my mind that means that it makes sense to take basic precautions (e.g. use a switch instead of a hub), but if you get too far beyond that you start to waste money on tiny incremental improvements. Some people might get some peace of mind by throwing lots of money into hardware, but it gives a false sense of security. -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message