[HECnet] Multinet Tunnel Connections to SG1::

Mark Benson md.benson at gmail.com
Thu Jun 7 10:54:46 PDT 2012 

On 7 Jun 2012, at 10:09, Johnny Billquist <bqt at softjar.se> wrote:

Yeah, I'm also starting to wonder if we're talking about different things...

I wouldn't be surprised if I am totally across-purposes as I am just a
user with a little knowledge (and we all know about a little
knowledge?) in this argument.

Maybe someone can explain to me the worries they have with this "wide open" thing, and how that improves by having the bridge (or router) running on a separate machine?

As far as I see it, using pcap and promiscuous mode creates 2 potential issues:

Security is possibly compromised, but promiscuous mode is only
activated as root so rhis isn't a big concern.

There is an increase in traffic and filtering loads on the CPU because
the LAN interface is no longer filtering packets in hardware.

Using a separate 'appliance' to do the work presents these possible solutions:

There is nothing of import on the appliance so immediate security is
not a problem. Packets from or intended for other destinations can
still be sniffed but you still need root access to the device.

Traffic through the device and using the CPU to filter it is the
intended purpose of the 'appliance' thus it is not invading your other
tasks on a user-centric machine and it is also not compromised by
other heavy tasks absorbing CPU cycles for other things.

Indeed. In addition to the fact that I'm not clear what security threat we're talking about here...

It's minimal, but it shouldn't be totally ignored unless it's an
acceptable risk to the users concerned. Usual security caveats apply
i.e. use good passwords on the router device etc.

  It's just anal-retentive perfectionism, nothing more, no REAL impact,
no REAL casualties...but it makes me sleep better at night, and I can
usually achieve it pretty much everywhere else. :)

No objections to that one. Except I don't loose sleep over a few CPU cycles here, since they are pretty much zero anyway. But like I said before, I don't mind clean stuff.

Again, shut it in a small box on it's own with a single-purpose OS and
it becomes a clean(er) solution.

-- 

Mark

More information about the Hecnet-list mailing list