From owner-freebsd-isp@FreeBSD.ORG Sun Sep 11 14:17:01 2005 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 04DEB16A41F for ; Sun, 11 Sep 2005 14:17:01 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from vms046pub.verizon.net (vms046pub.verizon.net [206.46.252.46]) by mx1.FreeBSD.org (Postfix) with ESMTP id A875F43D46 for ; Sun, 11 Sep 2005 14:17:00 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from [192.168.1.3] ([68.161.79.217]) by vms046.mailsrvcs.net (Sun Java System Messaging Server 6.2 HotFix 0.04 (built Dec 24 2004)) with ESMTPA id <0IMN00LSIP04XLW0@vms046.mailsrvcs.net> for freebsd-isp@freebsd.org; Sun, 11 Sep 2005 09:16:53 -0500 (CDT) Date: Sun, 11 Sep 2005 10:16:57 -0400 From: Chuck Swiger In-reply-to: To: Blake Covarrubias Message-id: <43243C59.4040201@mac.com> Organization: The Courts of Chaos MIME-version: 1.0 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7bit X-Accept-Language: en-us, en References: <4322FDC4.8010609@mac.com> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.11) Gecko/20050801 Cc: freebsd-isp@freebsd.org Subject: Re: VLAN interfaces on FreeBSD; performance issues X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Sep 2005 14:17:01 -0000 Blake Covarrubias wrote: > On Sep 10, 2005, at 8:37 AM, Chuck Swiger wrote: [ ... ] >> fxp is a good NIC hardware. However, if you are trying to connect >> two distinct subnets, playing ISO layer-2 games with VLANs is not >> going to result in a good substitute for layer-3 IP routing. >> >> You cannot truthfully multihome a machine with a single NIC. > > My goal is to make this machine a gateway for several servers that I > need to segment that will be on different IP subnets. I could always > just alias the IP's to the NIC on the gateway machine, but I need > layer-2 separation for security. If you need layer-2 seperation for security, then you need to put each of these machines or tiny subnets on seperate hubs or switches. Simply putting them all onto one switch and putting ports onto different VLANs does not give adequate isolation in practice even from non-malicious traffic, as you might discover if you monitor for ARP traffic leaking through (especially under high packet rate load). A malicious user can use mechanisms discussed here: http://www.sans.org/resources/idfaq/vlan.php http://archives.neohapsis.com/archives/sf/pentest/2001-06/0139.html "Try not to use VLANs as a mechanism for enforcing security policy. They are great for segmenting networks, reducing broadcasts and collisions and so forth, but not as a security tool." > I'm doing this for co-located servers > (hence the need for segmentation) I don't think its feasible to add a > NIC for every new machine. You don't need a seperate NIC or hub for each new machine, but you ought to have one for each distinct security domain (or client, or whatever). (If my packets and their packets all go to the same switch port, my traffic is not actually being isolated from their traffic, VLAN tagging or no.) -- -Chuck