[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: I want to have my cake and eat it too

In article <> 
ianj@westnet.com.au writes:
>I wasn't seeking total security for my network from visitors, whom I'm 
>willing to assume are benign.
>I find it interesting that there isn't a secure solution to my problem, its 
>seems a common enough requirement.

Depending on your level of paranoia, another thing you can do is used
managed switches and program them not to only use programmed ethernet
address/ethernet port tables and not listen to arp.  This way the only
broadcast and traffic specific to the port being snooped on could be
snooped, and they can only imitate the ethernet address specific to
the port they use.  (If this is a port designated to a laptop not
physically present, they may have difficulty determining the ethernet
address to use.)  Don't leave unused ports active.  You could even
disable ports during times the system shouldn't be in use.

You may want to separate your user groups into separate vlans.

Visitor ports should be on a separate vlan that does allow arp, and has
appropriate paranoia.
Blars Blarson			blarson@blars.org
"Text is a way we cheat time." -- Patrick Nielsen Hayden

Reply to: