From owner-freebsd-security Fri Aug 20 17:29:27 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 8C2D114C19 for ; Fri, 20 Aug 1999 17:29:23 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id RAA25131; Fri, 20 Aug 1999 17:27:37 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199908210027.RAA25131@gndrsh.dnsmgr.net> Subject: Re: multiple machines in the same network In-Reply-To: <19990820192825.15974.rocketmail@web601.yahoomail.com> from jay d at "Aug 20, 1999 12:28:25 pm" To: service_account@yahoo.com (jay d) Date: Fri, 20 Aug 1999 17:27:37 -0700 (PDT) Cc: yurtesen@ispro.net.tr (Evren Yurtesen), freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > What you really want is a VLAN capable switch. VLAN switches simply > designate what ports on a switch can see what other ports on the same > switch. I have to correct you though, Rodney, as sniffing is currently > possible through switches. Yes, possible, anything is _possible_. But the switch goes a long way against the causual hacker. Having to break into a machine, spend enough time to hack the arp code, just to sniff a few packets is hardly worth the hassle. And is usually detected before they get very far anyway due to the massive change in traffic patterns this causes. I already said to put the switch on it's own router port with full and correct filtering. I see a lot of people replying to ``put them on thier own segment''. Now I am not sure if they mean put each individule customer on there own segment, or to lump them all togeather on one segment. My model was to put them all on one switch, with that whole segment of the network seperated and protocted in both directions from any of the ISP's and Internet stuff via a router with filtering capability. Putting 2 customers on any one segment is always a bad idea, it allows either to compromise the other easily by simple tcpdump style sniffing. The customer per router port is probably the most secure model, even more secure than a VLAN switch and single filtered router port, it is also the most expensive model. And in final defense of my statement, the person specifically asked ``How can we protect OUR systems from customers' machines?''. My solution clearly provides that, and just a little bit more, it also protects each customer from each other from casual attacks. > Jay > > --- "Rodney W. Grimes" wrote: > > > Hello, > > > > > > We are an ISP and we want to let our customers to > > put their own hardware > > > into our network. But the thing we are concerned > > about is security of > > > course. How can we protect our system from > > customers' machines? > > > > I would strongly suggest that you place your > > customers on a ethernet > > switch. Any of the modern 10/100 switches work well > > for this. Each > > customer gets 1 port on the switch, if they have > > more than 1 machine > > they install thier own hub connected to the switch. > > This prevents > > them from sniffing other customers traffic. Then > > you need to setup > > a router between this switch and your DMZ with a > > firewall rule set > > that stops all the nasty stuff like RFC1918 nets, > > smurf amplifier (block > > the broadcast addresses to all known subnets), etc. > > > > > > > > I have heard about somehthing called "virtual > > network" but I am not sure > > > of what it means and even if it is the thing I am > > searching for ? > > > > You don't need VLAN's for this, it's overkill. > > > > -- > > Rod Grimes - KD7CAX - (RWG25) > > rgrimes@gndrsh.dnsmgr.net > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of > > the message > > > > > > __________________________________________________ > Do You Yahoo!? > Bid and sell for free at http://auctions.yahoo.com > > -- Rod Grimes - KD7CAX - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message