On Tue, May 31, 2005 at 08:06:43AM -0700, Mark T. Regan, K8MTR wrote: > We are looking at setting up a Linux complex on z900 that will have both > Internet connections and > internal only connections. Can a OSA port be shared between Linux hosts that > are in unsecured and > secured environments without compromising security integrity?
In a word, no... How do you plan to have a single physical piece of cable connecting to both a secure network and an unsecured network (please, don't say "by overlaying the IP subnets"... :) )? If your answer includes VLAN then that's different, and it becomes possible since your Internet VLAN and your internal VLAN are logically separated. > I.e. would someone be able to come in through the Internet side of the > shared port and some how cross-over to the secured host that > is sharing the same port, but in a differnet subnet? If you are using VLAN, access between the VLANs is a question of IP routing. If there is no system that has a connection to both VLANs, then you're okay. If there is a system in both VLANs, it becomes a potential path between the networks. This has nothing to do with sharing an OSA, mind -- it's simple IP routing (even if the multi-homed system has IP forwarding turned off -- from the Internet, someone could log in to that system and then have connectivity to internal hosts... From there, the ability to connect directly from the Internet to internal hosts is only an SSH-dynamic-port-forward away...). > We are hoping that we don't have to dedicate a port to the Internet > connected Linux host. Otherwise we may have to purchase additional OSA > cards. To do this safely, your solution must include VLAN. Overlaying IP subnets would be nothing more than security-by-obscurity. Hope this helps... Cheers, Vic Cross ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
