multiple interfaces on same subnet

Bill Bogstad bogstad-e+AXbWqSrlAAvxtiuMwx3w at public.gmane.org
Tue Nov 17 15:56:50 EST 2009


On Tue, Nov 17, 2009 at 3:28 PM, Jerry Feldman <gaf-mNDKBlG2WHs at public.gmane.org> wrote:
>...
> I'm looking for some reasons why this might be a bad thing, but I don't
> know any technical reason not to allow this, at least when there is a
> single default route.

>From a security perspective, this is a potential problem.  Your laptop
is now a connection between two (potentially different)
networks with different security profiles.  In some ways, it's
equivalent to the old problem of people attaching modems to their
desktop
computer which was connected to the corporate network.  They would set
up their desktop to allow remote login so they could access
work files from home.  Attackers would war dial people's extensions
looking for open modems.  Exploiting your dual interface machine would
be more complicated as it would require setting up a nearby rogue
wireless access point to which your laptop would connect while you had
a wired connection to the corporate network.

At a minimum, you should make sure that your laptop isn't set up to
forward packets between the interfaces.  Not doing so would allow
network connections between the two different interfaces without
dealing with any host based authentication on your laptop at all.

Bill Bogstad





More information about the Discuss mailing list