Date: Fri, 20 Aug 1999 23:17:46 -0600 From: Wes Peters <wes@softweyr.com> To: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> Cc: jay d <service_account@yahoo.com>, Evren Yurtesen <yurtesen@ispro.net.tr>, freebsd-security@FreeBSD.ORG Subject: Re: multiple machines in the same network Message-ID: <37BE367A.C6FB893C@softweyr.com> References: <199908210027.RAA25131@gndrsh.dnsmgr.net>
next in thread | previous in thread | raw e-mail | index | archive | help
"Rodney W. Grimes" wrote:
>
> I already said to put the switch on it's own router port with full
> and correct filtering. I see a lot of people replying to ``put them
> on thier own segment''. Now I am not sure if they mean put each individule
> customer on there own segment, or to lump them all togeather on one segment.
> My model was to put them all on one switch, with that whole segment of
> the network seperated and protocted in both directions from any of the
> ISP's and Internet stuff via a router with filtering capability. Putting
> 2 customers on any one segment is always a bad idea, it allows either
> to compromise the other easily by simple tcpdump style sniffing.
>
> The customer per router port is probably the most secure model, even
> more secure than a VLAN switch and single filtered router port, it is
> also the most expensive model.
Ah hell, just buy a switch/router and get the whole mess in one box. If you
buy the RIGHT one, you can get your wide area/internet link AND your firewall
all in the same box. Anyone who thinks a router provides more security than
a VLAN switch doesn't understand how VLANs work.
--
"Where am I, and what am I doing in this handbasket?"
Wes Peters Softweyr LLC
http://softweyr.com/ wes@softweyr.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?37BE367A.C6FB893C>