pbb jhe wrote:
>
> Calling assistance of security gurus:
>
> Assuming a router and two servers (A & B) are
> connected via a shared hub. Ethernet interface of the
> router is configured with primary & secondary IP (both
> different subnets). Meanwhile server A is located in
> one subnet while server B is on another subnet.
>
> a. Can the above setup work?
Yes but remember the two systems are on the same physical wire and
will see all of each other's traffic at the NIC. Its certainly not
a configuration that provides much security.
Also, any traffic between the two servers will travel through
the router unless you disable split horizon (no ip split-horizon
on a Cisco router).
> b. With the above configuration, will there be two
> route entries in the router and other routers that the
> router in this case is communicating to?
There will be a route entry for each subnet unless they're
contiguous and the routing protocol you're using supports
aggregation.
> c. Is NT, Solaries, OS/2 and Linux supports secondary
> IP?
If you're talking about the servers, they won't be aware
of the primary/secondary issue. Note that some DHCP servers
have problems servicing secondary subnets.
> d. What is the performance impact (CPU,memory,
> processing speed) to router and server? Any workaround
We've got lots of secondaries with no apparent problems
although no performance tests were done with and without them.
Just remember, traffic between hosts on the same wire but
with different subnets will travel through the router.
> e. Will the above setup protect server A from
> accessing server B?
Only if the servers aren't compromised. They'll both
see the same wire traffic. Installation of a sniffer
or reconfiguration of subnet mask or IP address would
allow direct sampling of the other's data or direct
communication.
Man in the middle attacks may be trivial to perform
in this environment.
A more secure way would be to replace the hub with a
switch that supports VLANS and create two sub-interfaces
on the router to feed the two VLANS. You'd have more
isolation. However, even VLANs aren't commonly accepted
as a security isolator. However, in my limited understanding,
to compromise them you need access to the physical wire to
inject packets.
If you want a secure configuration, at a minimum you'll
need to buy a switch, or better, a separate router
interface.
Gary Flynn
Security Engineer
James Madison University
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
