|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Q on external router
Eric Vyncke (evyncke
cisco.com)
Thu, 23 Apr 1998 22:32:09 +0200
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Anonymous: "logging questions"
- Previous message: tqbfsecnet.com: "Re: Q on external router"
- In reply to: Eric Vyncke: "Re: Q on external router"
- Next in thread: tqbfsecnet.com: "Re: Q on external router"
- Reply: tqbfsecnet.com: "Re: Q on external router"
Thomas,
Do not misread me, I'm by no way saying that a `mostly dumb'
ethernet switch can replace a firewall... I'm just saying that
instead of using a hub for a DMZ, you can use another device
that can increase your security.
If it fails (buggy software, ...), you are back to square #1.
But, it is at least an additional layer of security and I
am willing to use as much as possible of security layers to
protect my networks/hosts.
And, even if my fellow software engineers won't agree with me,
I agree with you: switch are not designed/developped with security
as the first requirement. Nevertheless, their code is much
shorter than a firewall/router, so, statistically they `should'
have less security bugs. But, wait and see...
-eric
PS: I'm just discussing generic topics about switches and not
only about my employeer's ones.
At 15:15 23/04/98 -0500, tqbfsecnet.com wrote:
>> Thus, in my opinion (but have a look at my email address to see
>> that I could be biased ;-) ), the switch can increase the DMZ security
>> if:
>> - it uses static mapping
>> - as you put part of your security in the switch configuration, you
>> must obviously secure your switch config (OTP, ACL, management via
>> console only, ...)
>
>What about problems that fault the switch itself? We have seen bugs that
>crash 3Com switches due to poor IP stack implementation; Cisco is aware of
>bugs that affect their Catalyst platforms as well. What assurance do we
>have that switches are implemented with the same attention to security as
>firewalls?
>
>-----------------------------------------------------------------------------
>Thomas H. Ptacek Secure Networks, Inc.
>-----------------------------------------------------------------------------
>http://www.enteract.com/~tqbf "If you're so special, why aren't you dead?"
>
Eric Vyncke
Technical Consultant Cisco Systems Belgium SA/NV
Phone: +32-2-778.4677 Fax: +32-2-778.4300
E-mail: evynckecisco.com Mobile: +32-75-312.458
- Next message: Anonymous: "logging questions"
- Previous message: tqbfsecnet.com: "Re: Q on external router"
- In reply to: Eric Vyncke: "Re: Q on external router"
- Next in thread: tqbfsecnet.com: "Re: Q on external router"
- Reply: tqbfsecnet.com: "Re: Q on external router"
This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:10:48 CDT