two subnets same switch!

Hi there,

When two subnets share the same physical cable, are there security issues
with the one subnet being able to get to the second subnet? For example, at
our co-location facility, we have a switch that the WAN Internet connection
comes into. We are considering also running our 10.0.0.X network through the
NIC, same cable and same switch. Will doing so expose our internal
(10.0.0.X) network to the internet?


Thanks!

Java Boy wrote:

> Hi there,
>
> When two subnets share the same physical cable, are there security issues
> with the one subnet being able to get to the second subnet? For example,
> at our co-location facility, we have a switch that the WAN Internet
> connection comes into. We are considering also running our 10.0.0.X
> network through the NIC, same cable and same switch. Will doing so expose
> our internal (10.0.0.X) network to the internet?

1) Your firewall should block such access
2) Your ISP should block such access
3) Even if neither above are true, there's no way anyone could get to your
network, using a 10.x.x.x or any other RFC1918 address.

Dear James,

But i was going through a site and found this,

" If you connect the LAN and WAN ports to the same switch, you have just
defeated your own network security. "

Look here in design Pitfalls!
http://www.linuxexposed.com/Articles...urity-Concepts
..html


Regards!




"James Knott" <(E-Mail Removed)> wrote in message
news:QfGdnesvTO68KFPfRVn-(E-Mail Removed)...
> Java Boy wrote:
>
> > Hi there,
> >
> > When two subnets share the same physical cable, are there security
issues
> > with the one subnet being able to get to the second subnet? For example,
> > at our co-location facility, we have a switch that the WAN Internet
> > connection comes into. We are considering also running our 10.0.0.X
> > network through the NIC, same cable and same switch. Will doing so
expose
> > our internal (10.0.0.X) network to the internet?
>
> 1) Your firewall should block such access
> 2) Your ISP should block such access
> 3) Even if neither above are true, there's no way anyone could get to your
> network, using a 10.x.x.x or any other RFC1918 address.
>

Java Boy wrote:

> Dear James,
>
> But i was going through a site and found this,
>
> " If you connect the LAN and WAN ports to the same switch, you have just
> defeated your own network security. "
>
> Look here in design Pitfalls!
>
http://www.linuxexposed.com/Articles...urity-Concepts
> .html

If you go back to my message, you'll see I said "your firewall". This means
I'm assuming that you've got a firewall controlling access to the network.

Java Boy wrote:


Forgot to mention.

Please do not send personal e-mail, when the content should be posted on the
newsgroup.

In comp.os.linux.networking Java Boy <(E-Mail Removed)>:
> Hi there,

> When two subnets share the same physical cable, are there security issues
> with the one subnet being able to get to the second subnet? For example, at
> our co-location facility, we have a switch that the WAN Internet connection
> comes into. We are considering also running our 10.0.0.X network through the
> NIC, same cable and same switch. Will doing so expose our internal
> (10.0.0.X) network to the internet?

Never thought about, why care? Dump idea, unless of course the
switch supports VLANs. For minimal security you'd better setup a
box as firewall/router between the two LANs, so you have better
control over the network. A Linux box should do a great job for
this, in addition I'd run squid as http/ftp proxy server to speed
up internet access.

--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo (E-Mail Removed) | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 258: That's easy to fix, but I can't be bothered.

"James Knott" <(E-Mail Removed)> wrote in message
news:reOdnTycb93ef1PfRVn-(E-Mail Removed)...
> Java Boy wrote:
>
>> Dear James,
>>
>> But i was going through a site and found this,
>>
>> " If you connect the LAN and WAN ports to the same switch, you have just
>> defeated your own network security. "
>>
>> Look here in design Pitfalls!
>>
> http://www.linuxexposed.com/Articles...urity-Concepts
>> .html
>
> If you go back to my message, you'll see I said "your firewall". This
> means
> I'm assuming that you've got a firewall controlling access to the network.

The firewall won't help you. For example, someone with root access to
one of the machines on your WAN can put an ethernet port in promiscuous mode
and see many of the LAN packets. (This is especially true if he maliciously
fills the switch's ARP cache so it is forced back into learning mode.)

DS