From owner-freebsd-security  Fri Aug 20 22:17: 2 1999
Delivered-To: freebsd-security@freebsd.org
Received: from mail.xmission.com (mail.xmission.com [198.60.22.22])
	by hub.freebsd.org (Postfix) with ESMTP id D3C0214FED
	for <freebsd-security@freebsd.org>; Fri, 20 Aug 1999 22:17:00 -0700 (PDT)
	(envelope-from wes@softweyr.com)
Received: from [204.68.178.39] (helo=softweyr.com)
	by mail.xmission.com with esmtp (Exim 2.12 #1)
	id 11I3U0-0002ei-00; Fri, 20 Aug 1999 23:14:24 -0600
Message-ID: <37BE35AE.23088FB2@softweyr.com>
Date: Fri, 20 Aug 1999 23:14:22 -0600
From: Wes Peters <wes@softweyr.com>
Organization: Softweyr LLC
X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386)
X-Accept-Language: en
MIME-Version: 1.0
To: Cliff Skolnick <cliff@steam.com>
Cc: Bigby Findrake <bigby@shiva.eu.org>,
	jay d <service_account@yahoo.com>,
	"Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>,
	Evren Yurtesen <yurtesen@ispro.net.tr>, freebsd-security@FreeBSD.ORG
Subject: Re: multiple machines in the same network
References: <Pine.BSF.4.10.9908201329220.68821-100000@lazlo.internal.steam.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Cliff Skolnick wrote:
> 
> Hacked arp code on one machine could return a broadcast or multicast
> ethernet address to an arp query for any machine.  The switch would then
> treat all traffic as broadcast sending it to every port.  Since the machines
> TCP/IP layer would receive the packet it woudl still be on the network, of
> course it would be receiving and dropping a bit more.  Performance may be
> effected.  :)
> 
> You really want the machines on a seperate segment and to be routed instead
> of switched.

No, you don't, you want them on seperate VLANs, each of which is it's own
broadcast domain.  Then your trick won't do anything at all.

Go read http://www.xylan.com/library/switchbook/index.html and read "The 
Switching Book II."  It's a short read, and will bring you up to date on 
what VLANs are and how they can protect segments of your network.  Then look 
aroundfor a reasonably priced VLAN-capable switch and learn how to use it.

<PLUG>
Check out http://www.shopper.com/prdct/721/192.html for a head start on your
shopping.  ;^)
</PLUG>

<ANTI-PLUG>
For a better price/port, see http://www.shopper.com/prdct/768/063.html
These guys are very hard to beat -- for a few more months.  ;^)
</ANTI-PLUG>

-- 
            "Where am I, and what am I doing in this handbasket?"

Wes Peters                                                         Softweyr LLC
http://softweyr.com/                                           wes@softweyr.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message