[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on ISP Expectations



On Wed, 29 Mar 2000, Bill Woodcock wrote:

>    > 5 Systems Infrastructure
> 
> Systems MUST minimally be separated by a switched LAN
> infrastructure, such that compromise of one host does not allow
> promiscuous "sniffing" of traffic to and from other hosts, and
> SHOULD be separated onto separate VLANs or subnets, such that
> traffic can be filtered both to and from each system, without the
> possibility of a "stepping stone" attack from one host to another,
> "behind" a firewall.

Switched hubs don't provide any degree of security from sniffing.  
There are many ways to externally manipulate them so they get confused
and broadcast everywhere.

Putting in place or using a large VLAN infrastructure adds another
point of attack that isn't necessarily visible on a LAN structure
diagram.