From owner-freebsd-security Fri Aug 20 23: 1:44 1999 Delivered-To: freebsd-security@freebsd.org Received: from lazlo.internal.steam.com (lazlo.steam.com [199.108.84.37]) by hub.freebsd.org (Postfix) with ESMTP id 2D90E14E21 for ; Fri, 20 Aug 1999 23:01:42 -0700 (PDT) (envelope-from cliff@steam.com) Received: from lazlo.internal.steam.com (cliff@lazlo.internal.steam.com [192.168.32.2]) by lazlo.internal.steam.com (8.9.3/8.9.3) with ESMTP id XAA14295; Fri, 20 Aug 1999 23:00:08 -0700 (PDT) Date: Fri, 20 Aug 1999 23:00:08 -0700 (PDT) From: Cliff Skolnick X-Sender: cliff@lazlo.internal.steam.com To: Wes Peters Cc: "Rodney W. Grimes" , jay d , Evren Yurtesen , freebsd-security@FreeBSD.ORG Subject: Re: multiple machines in the same network In-Reply-To: <37BE367A.C6FB893C@softweyr.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 20 Aug 1999, Wes Peters wrote: > Ah hell, just buy a switch/router and get the whole mess in one box. If you > buy the RIGHT one, you can get your wide area/internet link AND your firewall > all in the same box. Anyone who thinks a router provides more security than > a VLAN switch doesn't understand how VLANs work. With a nice router I can almost always set up filtering and policys on how ports exchange traffic. It's really hard to create a good packet filter on a layer 2 device, let alone one that can keep state like a freebsd box used as a router/firewall. 4 Port Ethernet cards are less than $500 now so you can build the box with a really low per-port cost. The box costs $2000 for 8 ports at about $250/port. Sure segment your switch into VLANs, then setup a device to route between the and give you some firewalling. Sure there are some switches that do provide extensive filtering and even load balancing, but those are a usually a bit more than $250/port. I think this is similar to the packet filter vs gateway debate, people like to manage at different levels in the network stack. If you want to manage at layer 2 you need to add lots of smarts to the switch to understand how IP packets work for an effective filter. Managing IP at layer 3 is managing a protocol where it lives. As in the router/gateway debate some will say understanding the packets is not enough and you need to understand the payload, hence the gateway approach. Draw a line and stick a stake in the ground where you as a professional are comfortable. I sure do understand how VLANs work, I use them all the time. I'm pretty sure that high end switch you are talking about actually does have a router in there somewhere and is not a simple switch, at least I've never seen a simple switch that will handle a WAN link. All of my switches that I've segmented into VLANs are glued the VLANs together with an RSM or an external router. Now saying that I am always amazed at how far up the network stack some switches will crawl. Right now I'm playing with some switches that will load balance HTTP connections by binding virtual (ip, port) pairs to real (ip, port) pairs, they are sure getting smarter. Cliff -- | Cliff Skolnick | "They that can give up essential liberty to | | Steam Tunnel Operations | obtain a little temporary safety deserve | | cliff@steam.com | neither liberty nor safety." | | http://www.steam.com/ | -- Benjamin Franklin, 1759 | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message