Date: Sun, 11 Sep 2005 10:16:57 -0400 From: Chuck Swiger <cswiger@mac.com> To: Blake Covarrubias <blake@yfug.yumaed.org> Cc: freebsd-isp@freebsd.org Subject: Re: VLAN interfaces on FreeBSD; performance issues Message-ID: <43243C59.4040201@mac.com> In-Reply-To: <E2ADC8F5-3BFF-4140-82C1-E7083F25CC81@yfug.yumaed.org> References: <ED8E7F5B-7E3F-40D8-8993-76E9AB8226F9@yfug.yumaed.org> <4322FDC4.8010609@mac.com> <E2ADC8F5-3BFF-4140-82C1-E7083F25CC81@yfug.yumaed.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Blake Covarrubias wrote: > On Sep 10, 2005, at 8:37 AM, Chuck Swiger wrote: [ ... ] >> fxp is a good NIC hardware. However, if you are trying to connect >> two distinct subnets, playing ISO layer-2 games with VLANs is not >> going to result in a good substitute for layer-3 IP routing. >> >> You cannot truthfully multihome a machine with a single NIC. > > My goal is to make this machine a gateway for several servers that I > need to segment that will be on different IP subnets. I could always > just alias the IP's to the NIC on the gateway machine, but I need > layer-2 separation for security. If you need layer-2 seperation for security, then you need to put each of these machines or tiny subnets on seperate hubs or switches. Simply putting them all onto one switch and putting ports onto different VLANs does not give adequate isolation in practice even from non-malicious traffic, as you might discover if you monitor for ARP traffic leaking through (especially under high packet rate load). A malicious user can use mechanisms discussed here: http://www.sans.org/resources/idfaq/vlan.php http://archives.neohapsis.com/archives/sf/pentest/2001-06/0139.html "Try not to use VLANs as a mechanism for enforcing security policy. They are great for segmenting networks, reducing broadcasts and collisions and so forth, but not as a security tool." > I'm doing this for co-located servers > (hence the need for segmentation) I don't think its feasible to add a > NIC for every new machine. You don't need a seperate NIC or hub for each new machine, but you ought to have one for each distinct security domain (or client, or whatever). (If my packets and their packets all go to the same switch port, my traffic is not actually being isolated from their traffic, VLAN tagging or no.) -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43243C59.4040201>