[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[OT] 2 subnets + 1 switch = ARP vulnerability?

Recently I advised a fellow at fedoraforum not to connect the orange and
green interfaces of an IPcop machine to the same switch.  I gathered he
wanted to do that in order to save money by not buying a second switch,
primarily.  To be honest, I didn't think it would work, but apparently
it did.  Well, at least he says it did, and I have no reason to
disbelieve him.  So I learned something.

He connected his green and orange interfaces, each with a different
subnet address of course, to a switch, then connected some FC5 clients
to the same switch, configuring some of them on the green subnet and
pointing to the green gateway, and the rest on orange network pointing
to the orange gateway.

Now IPcop and its ilk, as I understand them, base much of their security
strength on maintaining separation among red, green, and orange
networks.  Orange is for a DMZ, green is for a protected LAN, and red
faces the Internet.  I'm not a network or security guru, but am I wrong
in thinking that the fellow's green network is now highly vulnerable to
ARP exploits from the orange side?  As far as layer 2 is concerned,
everything is on the same network, right?  Are ARP exploits not in vogue
anymore?  Are there other security risks in doing things this way?  Is
it a pretty common and acceptable practice these days to connect
multiple subnets through a single non-VLAN switch as a matter of
convenience or economy?

Thanks for your thoughts.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]