It is probably a sign that I travel too much if I have already seen all the movies – a total of three – they show on the airplane. But at least it is a good opportunity to read some of the many computer security magazines that have piled up on my desk over the past months.
I have an old issue of the information security magazine in front of me, the August 2005 issue. There is an article by Joel Snyder entitled “ProvinGrounds” where he writes about setting up a test lab for security devies. I like the article, but one quote caught my attention:
LINUX is a useful OS for any lab equipment, but it’s best kept on the server side. Its weak GUI and lack of laptop support makes it difficult to use as a client.
I don’t know how much experience the author actually has with Linux, but I am typing this blog entry on a linux system running on my laptop. I don’t know what the problem is. In fact, my GUI is probably even nicer than some of the Windows installations (I know, this is personal taste ;). Why would someone write something like that?
In the same issue of the magazein, there is another article from the same author. This article is talking about VLAN security. While the article does not reveal anything new and exciting – if you actually follow Nicolas Fischbach’s work, you might even be disappointed with the article – there is one thing in the article which makes me think that the author never had to configure a firewall. He recommends doing the following on a switch:
Limit and control traffic. Many switches have the ability to block broad types of traffic. If your goal, for example, is to enable IP connectivity, then you want to use an ACL to allow IP and ARP Ethernet protocols only, blocking all other types.
Firstly, why are IP and ARP Ethernet protocols? But that’s not what is wrong here. Have you ever configured your switch like this? Do you want to know what happens if you do? If you ever had to setup a firewall (and I am not talking about one that has a nice GUI with a wizzard and stuff), then you know that this is going to break quite a lot of things. Dude, you need some of the ICMP messages! Path MTU discovery for example. What about things like ICMP unreachables? Without them you introduce a lot of latency in your network because your clients have to wait for timeouts instead of getting negative ACKs.