On Mon, Jul 27, 2015 at 12:46 PM, Quartz <qua...@sneakertech.com> wrote: > Some years ago I remember reading that when using OpenBSD (or any OS, > really) as a router+firewall it was considered inadvisable from a security > standpoint to have the different networks all attached to a single network > card with multiple ethernet ports. The thinking being that it was > theoretically possible for an attacker to exploit bugs in the card's chip to > short circuit the path and route packets directly across the card in a way > pf can't control. It was also suggested that in addition to using different > physical cards, the cards should really use different chipsets too, in case > an unknown driver bug allows a short circuit. > > I swear I read this somewhere on the website, but I can't seem to find it > now and I'm wondering if the concept is even still valid. The impetus here > is that I'm building a router+firewall for a cramped location and it's > turning out rather difficult to find a case that's small enough to fit. I'd > really like to use an itx system with multiple onboard ethernet jacks and > cram it into something like a MiniBox M350 or Antec ISK110, but I'm not sure > if that's a good idea, security wise. Any thoughts? >
It is certainly possible theoretically but you'll have to go to very great lengths to imagine a scenario where a remote attacker could exploit such a flaw. It's next to impossible identify the make and model of the NIC that holds an IP address (if it is even directly bound to a NIC, CARP and other similar technologies get in the way if used), the attacker would first have to aquire this information trough other means. -Kimmo
