Be aware that even 'dumb' switches can be attacked. The usual method is to feed
them with spoofed MAC addresses until the address table overflows, which, with
some switches, causes it to go in to flooding mode. In other words, it becomes a
simple hub from which all traffic can be captured. A managed switch would at
least be able to warn you by SNMP trap that the table was full.
Jim Eckford
Chris Brenton wrote:
> Bennett Samowich wrote:
> >
> > Would adding a switch to a DMZ increase its security? Would it create the
> > case that even if the a web server were compromised, mail traffic could not
> > be captured? (assuming they are on separate machines)
>
> Absolutely, provided the switch is unmanaged and does not have an IP
> address to attack.
>
> Also, use a dedicated box. Don't VLAN a larger switch which also
> services your internal network. A number of vulnerabilities have been
> found that can allow an attacker to jump VLANS.
>
> Cheers,
> Chris
> --
> **************************************
> [EMAIL PROTECTED]
>
> * Multiprotocol Network Design & Troubleshooting
> http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet
> * Mastering Network Security
> http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
