Hi Luigi, > vmware certifies the solution "DMZ+LAN" within a single vmware host with two > vswitches.
This sounds highly questionable, especially after reading the article of Brad. The same goes with Cisco of course. So what else than the marketing guy certification can we get? Before designing an architecture, I need much more. > This is of course true until proven false, that is sending IP packets from the > LAN or DMZ to Internet and viceversa bypassing the firewall protection. > > If you keep the netwok separated you bet that another piece of code (the > firewall) could not be compromised. Sure but in that case, this is not the same code, nor the same editor, hardware, etc. Of course there are exploits too, but the probability of having 2 exploits on totally differents devices at the same time is lower than only 1 exploit. - phocean _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
