Re: selecting old machines for firewall/router use

[Stan Hoeppner <stan@hardwarefreak.com>]

Pascal Hambourg put forth on 2/21/2011 3:51 PM:
> Stan Hoeppner a écrit :
>>
>> You only need one
>> NIC in your firewall box when using a switch.  You simply plug
>> everything into the switch including the DSL modem and the Netgear.
>> Bind both the public and private IP addresses to the same NIC in the
>> firewall using a virtual NIC: i.e. eth0 and eth0:1.
> 
> This is a wrong idea because the firewall can be by-passed, leaving a
> hole in the LAN security.

Would you mind explaining why you believe this?

The DSL modem is an ethernet to ATM bridge and the connection to the
DSLAM is point-to-point.  So, with my recommended setup, while in theory
broadcast packets could reach the other end, typically the DSLAM is
going to instantly drop any such packets as they have no valid
destination.  Thus, nothing on the public side of the bridge is going to
know the MAC addresses of internal hosts except the DSLAM, so there's no
chance of things like an ARP attack.

For this to be a real security issue, any attack must start below the IP
level, eliminating any threat from a remote internet host.  The attacker
would have to be a telco employee generating attack packets from the
DSLAM itself.  The odds of this are probably lower than being struck by
lighting while being attacked by a shark.

Remember, the OP has xDSL service, _not_ cable.  If he'd said cable, I'd
not have recommended what I did, as cable is a shared medium, and
broadcast traffic is seen by other customers' equipment on the same
segment.  What I proposed is perfectly safe for xDSL.  For a cable
situation, you should have two physical NICs in the firewall to
eliminate the possibility of broadcast traffic and things like ARP attacks.

-- 
Stan