On 6/19/07, Eugen Leitl <[EMAIL PROTECTED]> wrote:
On Tue, Jun 19, 2007 at 01:47:22PM -0500, Bill Marquette wrote:
> Low end switches have a tendency to not have enough ram or cpu to
> handle a high volume mac spoofing attack and will usually end up
If the switches are behind the pfsense firewall, and the users
are trusted, will this still happen? (Okay, if DMZ is compromised,
and attack is launched from within).
Ahh, see there's your first problem. You trust your users :) I don't
even trust myself, I'm certainly not about to trust my users :) At
any rate, sounds like you don't have a solid need for the physical
separation, it's best practice, but not always the right answer to the
problem at hand. Any separation is better than no separation. And
honestly, if your DMZ gets compromised, the LAN is likely the least of
your worries - the hope would be that you have good enough logging
practices that if the DMZ is compromised that you _catch_ it before
the attacker makes it to the LAN.
> turning into a hub under this kind of attack, rendering your vlans
> useless. Plus you are relying on software to keep your network
> segregated, physical separation is easier to keep the paranoia down ;)
My dayjob is not exactly Fort Knox, and we do occasionally have
Mine is ;)
incidents (best firewall is useless if people put default
accounts out, or the web application behind the firewall
is written by security naifs).
Those are all audited pre-deployment, nothing goes online unless it's
certified (sometimes that process is ummm challenging ;))
--Bill
