From owner-freebsd-security Fri Aug 20 12:42: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from web601.yahoomail.com (web1204.mail.yahoo.com [128.11.23.140]) by hub.freebsd.org (Postfix) with SMTP id C0CFF156C7 for ; Fri, 20 Aug 1999 12:41:58 -0700 (PDT) (envelope-from service_account@yahoo.com) Message-ID: <19990820194238.29331.rocketmail@web601.yahoomail.com> Received: from [15.255.160.64] by web1204.mail.yahoo.com; Fri, 20 Aug 1999 12:42:38 PDT Date: Fri, 20 Aug 1999 12:42:38 -0700 (PDT) From: jay d Subject: Re: multiple machines in the same network To: Chris Malayter Cc: "Rodney W. Grimes" , Evren Yurtesen , freebsd-security@FreeBSD.ORG MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org current project >:) i probably shouldn't have said that. jay --- Chris Malayter wrote: > Care to elaborate on that? I'm in a colocated > facility with multiple > boxes that I am sure our root comprimised, if in > fact you can sniff on a > switched network, I'de like to know how you protect > yourself against that? > > Chris Malayter > > > Mustang@TeraHertz.Net > > ------------------------------------------------------------------------- > Administrator, TeraHertz Communications | | > | InterNIC CM3647 | > Chief Engineer - 95.1 WVUR - Valparaiso,Indiana | > | > ------------------------------------------------------------------------- > > "Behavior is hard to change...but character is > nearly impossible" > > > On Fri, 20 Aug 1999, jay d wrote: > > > What you really want is a VLAN capable switch. > VLAN switches simply > > designate what ports on a switch can see what > other ports on the same > > switch. I have to correct you though, Rodney, as > sniffing is currently > > possible through switches. > > > > Jay > > > > --- "Rodney W. Grimes" > wrote: > > > > Hello, > > > > > > > > We are an ISP and we want to let our customers > to > > > put their own hardware > > > > into our network. But the thing we are > concerned > > > about is security of > > > > course. How can we protect our system from > > > customers' machines? > > > > > > I would strongly suggest that you place your > > > customers on a ethernet > > > switch. Any of the modern 10/100 switches work > well > > > for this. Each > > > customer gets 1 port on the switch, if they have > > > more than 1 machine > > > they install thier own hub connected to the > switch. > > > This prevents > > > them from sniffing other customers traffic. > Then > > > you need to setup > > > a router between this switch and your DMZ with a > > > firewall rule set > > > that stops all the nasty stuff like RFC1918 > nets, > > > smurf amplifier (block > > > the broadcast addresses to all known subnets), > etc. > > > > > > > > > > > I have heard about somehthing called "virtual > > > network" but I am not sure > > > > of what it means and even if it is the thing I > am > > > searching for ? > > > > > > You don't need VLAN's for this, it's overkill. > > > > > > -- > > > Rod Grimes - KD7CAX - (RWG25) > > > rgrimes@gndrsh.dnsmgr.net > > > > > > > > > To Unsubscribe: send mail to > majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body > of > > > the message > > > > > > > > > > __________________________________________________ > > Do You Yahoo!? > > Bid and sell for free at http://auctions.yahoo.com > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of > the message > > > > __________________________________________________ Do You Yahoo!? Bid and sell for free at http://auctions.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message