From owner-freebsd-security Fri Aug 20 12:35:17 1999 Delivered-To: freebsd-security@freebsd.org Received: from saturn.terahertz.net (saturn.terahertz.net [209.83.5.170]) by hub.freebsd.org (Postfix) with ESMTP id 1D91B15699 for ; Fri, 20 Aug 1999 12:35:14 -0700 (PDT) (envelope-from mustang@TeraHertz.Net) Received: from localhost (mustang@localhost) by saturn.terahertz.net (8.9.3/8.9.3) with ESMTP id OAA93439; Fri, 20 Aug 1999 14:33:26 -0500 (CDT) Date: Fri, 20 Aug 1999 14:33:25 -0500 (CDT) From: Chris Malayter To: jay d Cc: "Rodney W. Grimes" , Evren Yurtesen , freebsd-security@FreeBSD.ORG Subject: Re: multiple machines in the same network In-Reply-To: <19990820192825.15974.rocketmail@web601.yahoomail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Care to elaborate on that? I'm in a colocated facility with multiple boxes that I am sure our root comprimised, if in fact you can sniff on a switched network, I'de like to know how you protect yourself against that? Chris Malayter Mustang@TeraHertz.Net ------------------------------------------------------------------------- Administrator, TeraHertz Communications | | | InterNIC CM3647 | Chief Engineer - 95.1 WVUR - Valparaiso,Indiana | | ------------------------------------------------------------------------- "Behavior is hard to change...but character is nearly impossible" On Fri, 20 Aug 1999, jay d wrote: > What you really want is a VLAN capable switch. VLAN switches simply > designate what ports on a switch can see what other ports on the same > switch. I have to correct you though, Rodney, as sniffing is currently > possible through switches. > > Jay > > --- "Rodney W. Grimes" wrote: > > > Hello, > > > > > > We are an ISP and we want to let our customers to > > put their own hardware > > > into our network. But the thing we are concerned > > about is security of > > > course. How can we protect our system from > > customers' machines? > > > > I would strongly suggest that you place your > > customers on a ethernet > > switch. Any of the modern 10/100 switches work well > > for this. Each > > customer gets 1 port on the switch, if they have > > more than 1 machine > > they install thier own hub connected to the switch. > > This prevents > > them from sniffing other customers traffic. Then > > you need to setup > > a router between this switch and your DMZ with a > > firewall rule set > > that stops all the nasty stuff like RFC1918 nets, > > smurf amplifier (block > > the broadcast addresses to all known subnets), etc. > > > > > > > > I have heard about somehthing called "virtual > > network" but I am not sure > > > of what it means and even if it is the thing I am > > searching for ? > > > > You don't need VLAN's for this, it's overkill. > > > > -- > > Rod Grimes - KD7CAX - (RWG25) > > rgrimes@gndrsh.dnsmgr.net > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of > > the message > > > > > > __________________________________________________ > Do You Yahoo!? > Bid and sell for free at http://auctions.yahoo.com > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message