network segmentation without using vlans

[James Knott]

Paul van Fraassen wrote:
> Hey Guys
> It clear that you have pretty advanced understandings of networking and 
> ethernet and plenty of experience
> to go with it but aren't we getting a bit academic here?
> Sure, if someone has a "server" that only needs to send out 
> unidirectional traffic we could look at this kind of a set-up
> but, what are the odds that this is a case with 20 servers that would 
> work with that kind of set-up?
> I didn't go down the firewall and kernel config roads because I made the 
> assumption that part of the reason for the isolation
> might be that the poster didn't necessarily fully trust or have 
> "complete control" over everything on all the 20 servers
> and thus wanted the separation to be in the network design (yes these 
> are my assumptions not based on the post).
> Now, having said that I love the techie thought experiment as much as 
> anybody so, don't think I'm dis-ing any of what you've added to the thread
> I'm not. I don't have the degrees and I don't let anyone call me the 
> expert/guru etc but in my almost 20 years in networking  nerdom the only 
> times
> I've see these kind of advanced hacking configs is in intrusion 
> detection boxes, labs and classrooms; have you any examples of other 
> production environments
> where this sort of thing has been needed ?
> Oh, and although I loath to point it out, the poster didn't say they 
> were "all linux" servers. (OK, you can flame me for that :-)

If you've been following the thread, you'll see that what was proposed 
is impossible, without some sort of external method to accomplish it. 
There's nothing you can do, on the computer, short of MAC filtering that 
will accomplish such isolation.


-- 
Use OpenOffice.org <http://www.openoffice.org>
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists