No desire receive messages !!!
Thank you ,
[EMAIL PROTECTED]
----------
De: Woody Weaver[SMTP:[EMAIL PROTECTED]]
Enviada: Terca-feira, 24 de Agosto de 1999 12:12
Para: peter pajak; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]
Assunto: Re: quad cards on firewalls
At 05:55 AM 8/24/99 -0700, peter pajak wrote:
>not exactly, since all NICs on sun boxes always have the same mac address
^^^^^^
Not always! There is an eeprom setting to adjust this behavior.
>(burnt into the motherboard) all switches are designed to handle that all
>right. besides, all comunications start with the ip address being mapped to
>mac address by arp, so the switch port which has the ip address you want to
>talk to is being used as the communication channel anyway. in regard to the
Originally, MACs were intended to be unique. (I don't know why Sun chose
the "single mac per machine" behaviour.) Some switch hardware assumes that
a specific MAC is associated with a unique port on a switch -- if it sees a
mac on a different port, it thinks the machine has moved, and drops it from
its CAM for the "old" port and moves it to the new one. This can be bad
for a couple of reasons, primarily performance.
>second part ask the guy what he means by compromisig the card. to do that
I agree here.
>one would have to have phisical access to the machine and that's another
>issue.
I don't think that is what was meant. I think the idea is that the card
itself has some smarts independent of the kernel. If one were to
compromise the card, there exists the possibility of going port to port on
the card itself without going through the routing engine (hence not through
the protections afforded by the firewall).
This strikes me as a theoretical possibility, but not an actual one -- that
is to say in "most" environments there would be other, easier ways (such as
compromising the switch, a device which generally is not designed for
security).
--woody
>later, peter
>
>
>>From: Art Coble <[EMAIL PROTECTED]>
>>To: Corbett Waddingham <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
>>Subject: Re: quad cards on firewalls
>>Date: Mon, 23 Aug 1999 17:04:25 -0700
>>
>>I don't see a problem with it.
>>I've implemented the configuration you are describing.
>>Make sure you configure the qfe card to give each
>>port a unique MAC address. By default each port
>>has the same MAC. This can wreak some havoc on switches.
>>
>> -Art
>>
>>
>>At 04:20 PM 8/23/99 -0700, Corbett Waddingham wrote:
>> >
>> >Hello,
>> >
>> >Recently, the subject of using quad ethernet cards on firewalls was
>>brought up
>> >here at work. One person was convinced that this is a Bad Thing(c),
>>because
>> >someone could compromise the card and get access to the entire network.
>> >Everyone else (myself included) felt that he was just being overly
>>paranoid,
>> >and that just keeping the subnets logically seperated would be fine. But
>>I
>> >thought I would ask the people who be most likely to know.
>> >
>> >The card in this case was a Sun Quad Fast Ethernet, the firewall itself
>>was
>> >an UltraSPARC with Solaris 2.6 and Checkpoint.
>> >
>> >
>> >Corbett Waddingham
>> >E-greetings Network Data Wrangler
>> >415-536-1861
>> >http://www.egreetings.com
>> >-
>> >[To unsubscribe, send mail to [EMAIL PROTECTED] with
>> >"unsubscribe firewalls" in the body of the message.]
>> >
>>
>>===========================================
>>Art Coble
>>International Network Services
>>Senior Network Consultant
>>Email: [EMAIL PROTECTED]
>>Page: 800 INS 1 INS or [EMAIL PROTECTED]
>>"Fix the problem, not the blame"
>>=============================================
>>-
>>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>>"unsubscribe firewalls" in the body of the message.]
>>
>
>
>______________________________________________________
>Get Your Private, Free Email at http://www.hotmail.com
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
--
Robert Wooddell Weaver email: [EMAIL PROTECTED]
Network Engineer voice: 510.773.7420
Williams Communication Data Group pager: [EMAIL PROTECTED]
[metrocall has better reception] pager: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
