"Paul D. Robertson" wrote:
>
> Diederik Schouten wrote:
> > What if your router has a /16 on one side, if they are able to
> > mess with the switch connected to your routed firewall you are
> > down anyway.
>
> A routed firewall generally only has one MAC entry associated with its
> port, so the "add lots of MAC entries to the switch" stuff won't happen
> through the routing firewall.
I think that point was actually about the switch on the
lesser-trusted side of the firewall, and, yes, that switch
can definately be screwed around with, the same way that
someone could ARP spoof the default gateway and deny
internet service to any type of firewall.
BUT, and I think this is a fairly big one: they still don't get
to touch the internal network. If internet access is all you
worry about, and you don't have additional security zones, I'd
consider this a draw. But if your internal network needs to stay
up independently of the internet connection (almost always true?),
and/or you have multiple security zones (often true)?
I claim a point! :)
--
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 �RNSK�LDSVIK, Sweden
Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50 WWW: http://www.clavister.com
"Senex semper diu dormit"
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
