Date: Fri, 20 Aug 1999 23:17:46 -0600 From: Wes Peters <wes@softweyr.com> To: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> Cc: jay d <service_account@yahoo.com>, Evren Yurtesen <yurtesen@ispro.net.tr>, freebsd-security@FreeBSD.ORG Subject: Re: multiple machines in the same network Message-ID: <37BE367A.C6FB893C@softweyr.com> References: <199908210027.RAA25131@gndrsh.dnsmgr.net>
next in thread | previous in thread | raw e-mail | index | archive | help
"Rodney W. Grimes" wrote: > > I already said to put the switch on it's own router port with full > and correct filtering. I see a lot of people replying to ``put them > on thier own segment''. Now I am not sure if they mean put each individule > customer on there own segment, or to lump them all togeather on one segment. > My model was to put them all on one switch, with that whole segment of > the network seperated and protocted in both directions from any of the > ISP's and Internet stuff via a router with filtering capability. Putting > 2 customers on any one segment is always a bad idea, it allows either > to compromise the other easily by simple tcpdump style sniffing. > > The customer per router port is probably the most secure model, even > more secure than a VLAN switch and single filtered router port, it is > also the most expensive model. Ah hell, just buy a switch/router and get the whole mess in one box. If you buy the RIGHT one, you can get your wide area/internet link AND your firewall all in the same box. Anyone who thinks a router provides more security than a VLAN switch doesn't understand how VLANs work. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://softweyr.com/ wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?37BE367A.C6FB893C>