| From: | Matt Clark <matt(at)ymogen(dot)net> |
|---|---|
| To: | Bruno Wolff III <bruno(at)wolff(dot)to> |
| Cc: | 'Kent Anderson' <kenta(at)ezyield(dot)com>, "'Pgsql-Admin(at)Postgresql(dot) Org'" <pgsql-admin(at)postgresql(dot)org> |
| Subject: | Re: NIC to NIC connection |
| Date: | 2004-10-19 22:13:44 |
| Message-ID: | 41759198.4070505@ymogen.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
>Switches are not security devices. While it is harder to sniff packets on
>switches, you can't count on them to prevent hostile machines on the
>switch from playing games with the arp protocol. Also I believe that if
>a switch doesn't remember where a particular mac address is it will send
>the packet to all of the attached ports.
>
>
If you have 6 app servers it's just daft to stick 6 NICs in your DB
server. If absolute privacy is a concern (not mentioned by the OP),
then use a dedicated switch (or switches) for the 'private' subnet.
Even better, use SSH. But all this is over the top for 99.9% of uses
anyway. A VLAN is as private as anything else, so you can just create a
VLAN on your current switch fabric and use that. No kind of traffic on
a VLAN will hit any other VLAN. Unless of course someone has hacked
your switch, set up a mirror port, attached a sniffer or other hacked
machine to it, and is assiduously reading your traffic, in which case
you have bigger problems....
M
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruno Wolff III | 2004-10-19 22:33:45 | Re: NIC to NIC connection |
| Previous Message | Bruno Wolff III | 2004-10-19 22:01:33 | Re: NIC to NIC connection |