[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: DMZ question

On 10 Aug 2004, Steve Melo wrote:
> I have a question about setting up a DMZ. My understanding is that on a
> switch layer 3 communication cannot happen with out a router, so would it be
> safe to have 3 separate networks, 

I fear to say that you are completely wrong.

A switch, unless it has specific support for doing so, will broadcast
arp packets to all machines, and they can all talk to each other without

Even in a situation where you do have some sort of restriction in place
there are ways to bypass that, including various ARP and MAC cache
poisoning attacks that allow a "man in the middle" attack on a switch.

> (one for the internet, one for the dmz and one for the lan) all
> connected to the same switch? My idea is that the switch does not have
> the ability to connect the separate networks and all routing happens
> at the firewall machines. Any thoughts or suggestions?

You can't get the behavior you want from most switches. The best bet is
to acquire additional NIC and switch hardware and physically split out
the networks.

When you are a Bear of Very Little Brain, and you Think of Things, you find
sometimes that a Thing which seemed very Thingish inside you is quite
different when it gets out into the open and has other people looking at it.
        -- A.A.Milne, _The House at Pooh Corner_, 1928

Reply to: