network segmentation without using vlans

Paul van Fraassen paul-s7S4Dk53uTw at public.gmane.org
Wed Feb 20 03:29:21 UTC 2008


Hey Guys
It clear that you have pretty advanced understandings of networking and
ethernet and plenty of experience
to go with it but aren't we getting a bit academic here?
Sure, if someone has a "server" that only needs to send out unidirectional
traffic we could look at this kind of a set-up
but, what are the odds that this is a case with 20 servers that would work
with that kind of set-up?
I didn't go down the firewall and kernel config roads because I made the
assumption that part of the reason for the isolation
might be that the poster didn't necessarily fully trust or have "complete
control" over everything on all the 20 servers
and thus wanted the separation to be in the network design (yes these are my
assumptions not based on the post).
Now, having said that I love the techie thought experiment as much as
anybody so, don't think I'm dis-ing any of what you've added to the thread
I'm not. I don't have the degrees and I don't let anyone call me the
expert/guru etc but in my almost 20 years in networking  nerdom the only
times
I've see these kind of advanced hacking configs is in intrusion detection
boxes, labs and classrooms; have you any examples of other production
environments
where this sort of thing has been needed ?
Oh, and although I loath to point it out, the poster didn't say they were
"all linux" servers. (OK, you can flame me for that :-)

-PvF


On 2/19/08, Kristian Erik Hermansen <kristian.hermansen-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org> wrote:
>
> On Feb 19, 2008 4:48 PM, James Knott <james.knott-bJEeYj9oJeDQT0dZR+AlfA at public.gmane.org> wrote:
> > Please read again that part about the link integrity test.  It is
> > performed periodically.  If there's no response the line is considered
> > disconnected.  Will Linux or any other OS send or receive data on a
> > disconnected ethernet port?
> >
> > I based my post on "Ethernet - The Definitive Guide", by Charles E.
> > Spurgeon, published by O'Reilly, on page 132 for the link integrity test
> > "10BASE-T transceivers continually monitor the receive data path for
> > activity as a means of checking whether the link is working correctly.
> > The transceivers also send a link test signal to one another to verify
> > the integrity of both twisted-pair links".  Information on
> > auto-negotiation starts on page 85.  I have known about both for many
> > years.  It's the link integrity test, that allows the NIC connect light
> > to turn on.
> >
> > I am quite familiar with ethernet wiring.  Pairs 1 & 3 (pins 4&5 and
> > 1&2) are the minimum required for ethernet to work.  As I mentioned
> > above, without that link integrity test succeeding, data will not be
> sent.
> >
> > Also, if you just want to monitor you can use a hub or a special device
> > called an ethernet tap.  Also, some switches can configure a port as a
> > monitor for other ports.  Linux, in the 2.4 kernel, provided a way to
> > turn off the transmitter, while still receiving.  I don't know if that
> > feature is present in 2.6.
> >
> >
> > Incidentally, I'm employed as a senior technician for a company that
> > does specialized work for telecommunications companies, such as Bell,
> > Telus and Allstream.  A part of my work involves networking, including
> > routers, switches, VoIP and PPP links.  My career, in both
> > telecommunications & computers, spans almost 36 years and I also studied
> > electrical engineering at Ryerson.  I do have some idea of what I'm
> > talking about, even without referring to texts.
>
> Maybe I should buy you a beer next time I come into town :-)  I also
> have background education in Electrical Engineering, in addition to a
> degree in Computer Science, but not nearly as much industry
> experience.  Sounds like you could be my Dad!  Maybe the wise old sage
> could slap some sense into me at a future conference encounter...heh
> --
> Kristian Erik Hermansen
> --
> "It has been just so in all my inventions. The first step is an
> intuition--and comes with a burst, then difficulties arise. This thing
> gives out and then that--'Bugs'--as such little faults and
> difficulties are called--show themselves and months of anxious
> watching, study and labor are requisite before commercial success--or
> failure--is certainly reached" -- Thomas Edison in a letter to
> Theodore Puskas on November 18, 1878
> --
> The Toronto Linux Users Group.      Meetings: http://gtalug.org/
> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/legacy/attachments/20080219/7d6a1cc8/attachment.html>


More information about the Legacy mailing list