[Dshield] Multi- Honed Servers

rhilliard@t-systemsus.com rhilliard at t-systemsus.com
Tue May 28 19:26:21 GMT 2002


This is part of the homework. ;-)

I getting a lot of requests to put NIC's into servers that will actaully 
bypass the firewalls. Thanks for the point in the right direction.

Rob 





Mark Rowlands <mark.rowlands at minmail.net>
05/28/2002 02:08 PM

 
        To:     list at dshield.org, rhilliard at t-systemsus.com
        cc: 
        Subject:        Re: [Dshield] Multi- Honed Servers


On Tuesday 28 May 2002 6:27 pm, rhilliard at t-systemsus.com wrote:
> I am researching the security practice of using multiple network
> interfaces in servers.

homework is it then ;-)

> I don't have a recommendation either way yet,  it
> seems that throwing more interface cards into a server may not be the 
best
> way to secure networks. 

I don't see how it achieves.

> It seems a little more like "hiding" a network as
> opposed to securing it. 

I don't see how it achieves this either.

> I am looking for any thoughts on this

here are some thoughts :-

the safest server is one without network cards, keyboard, mouse or 
monitor. 
;-)

That given, it is rather irrelevant, having more or less network cards 
makes 
no difference unless it is to separate networks and then access is policed 
by 
some form of rules based routing. 

I suppose you could argue that adding interfaces can remove the single 
point 
of failure and I would always do that in any vaguely important machine.

I have seen a network where multiple network cards were used in terminal 
servers which were then plugged into both sides of a firewall effectively 
bypassing the firewall that was supposed to protect them!








More information about the list mailing list