Re: DMZ question

To: debian-firewall@lists.debian.org
Subject: Re: DMZ question
From: Matthew Palmer <mpalmer@debian.org>
Date: Tue, 10 Aug 2004 08:34:12 +1000
Message-id: <[🔎] 20040809223412.GB29736@hezmatt.org>
Mail-followup-to: debian-firewall@lists.debian.org
In-reply-to: <[🔎] 001901c47e1b$3bc04690$3c01a8c0@tftpd>
References: <[🔎] 001901c47e1b$3bc04690$3c01a8c0@tftpd>

On Mon, Aug 09, 2004 at 10:14:50AM -0400, Steve Melo wrote:
> I have a question about setting up a DMZ.  My understanding is that on a
> switch layer 3 communication cannot happen with out a router, so would it be
> safe to have 3 separate networks, (one for the internet, one for the dmz and
> one for the lan) all connected to the same switch? My idea is that the
> switch does not have the ability to connect the separate networks and all
> routing happens at the firewall machines.  Any thoughts or suggestions?

Don't do it, man!  The point about having a DMZ is that if I get a machine
in your DMZ I haven't got your internal network, but with your idea I do,
because I can setup an alias interface in your local netspace and I'm in. 
At worst it might take me 10 minutes to find out what your internal netrange
is (ARP flood the switch so it drops back to broadcast mode, and then sniff
some packets on the internal network).

You can do what you want to do with one physical switch if you've got a
managed one capable of having VLANs defined on it, but if you've got that
much money you can just buy three 10/100Mb regular switches.  But what you
want to do is the worst kind of false security.

- Matt

Reply to:

References:
- DMZ question
  - From: "Steve Melo" <smelo@communitytrust.ca>

Prev by Date: Re: Iptable NAT problem
Next by Date: Firestarter logging
Previous by thread: Re: DMZ question
Next by thread: Re: DMZ question
Index(es):
- Date
- Thread