From owner-freebsd-security Fri Aug 20 11:55:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id E633A15362 for ; Fri, 20 Aug 1999 11:55:13 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id LAA24307; Fri, 20 Aug 1999 11:52:19 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199908201852.LAA24307@gndrsh.dnsmgr.net> Subject: Re: multiple machines in the same network In-Reply-To: <37BD9E40.7B95E73E@ispro.net.tr> from Evren Yurtesen at "Aug 20, 1999 09:28:16 pm" To: yurtesen@ispro.net.tr (Evren Yurtesen) Date: Fri, 20 Aug 1999 11:52:18 -0700 (PDT) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Hello, > > We are an ISP and we want to let our customers to put their own hardware > into our network. But the thing we are concerned about is security of > course. How can we protect our system from customers' machines? I would strongly suggest that you place your customers on a ethernet switch. Any of the modern 10/100 switches work well for this. Each customer gets 1 port on the switch, if they have more than 1 machine they install thier own hub connected to the switch. This prevents them from sniffing other customers traffic. Then you need to setup a router between this switch and your DMZ with a firewall rule set that stops all the nasty stuff like RFC1918 nets, smurf amplifier (block the broadcast addresses to all known subnets), etc. > > I have heard about somehthing called "virtual network" but I am not sure > of what it means and even if it is the thing I am searching for ? You don't need VLAN's for this, it's overkill. -- Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message