Re: Firewall to two networks
On 08/28/2002 11:01:35 AM Douglas Guptill wrote:
>> On Fri, Aug 23, 2002 at 10:53:28AM +0100, Chris Evans wrote:
>> > On 22 Aug 2002 at 12:01, Vince Mulhollon wrote:
>>
>> > If anyone can find time to comment on these thoughts and my posting
>> > of the route and ifconfig information on the list last night, I'd
Careful now, that would be Chris's comments not mine.
>> So the machine has two ethernet cards (one for the outside world,
>> and one for the inside world), yet handles four separate inernal
>> networks.
Yes, that is cool, but that is not four separate networks.
If someone hacks a box on the 142. net they can DOS the 192. net, or
traffic-sniff the 192. net, or whatever
This technique is useful when doing webhosting, as one box can appear to be
"x" number of "independent" webservers..
But it doesn't really increase security because those "separate" nets are
all on the same physical cable.
Also much excitement can occur if you don't trust the users. If for
example everyone on 192. is supposed to be proxied and everyone on 142. is
supposed to be a public server, if they're all on the same cable there is
nothing stopping a workstation user from changing their IP to a 142.
However, if they were on physically separate cables, there would be no way
for a workstation guy to hijack a server ip address.
Example, new guy installs a new PC and decides to use 142.a.b.c.
Unfortunately that is the IP addrs of the corporate email server. If using
physically separate cables, the new guy can't cause any damage when he
plugs into the 192. cable with that address. However, if you share those
networks on the same cable, the new guy just knocked out the corporate
email server.
Reply to: