On Sat, Jul 16, 2011 at 2:44 PM, Ljubomir Ljubojevic office@plnet.rs wrote:
But if you have public network passing through local area switch, then there is possibility o hackers using lower network layers to access unprotected PC's on that local network. Not long-distance hackers, but in case of physical presence outside of your network they could assign virtual IP to the MAC addresses of your PC's and access it directly that way, not to mention danger of PC's bypassing your one-NIC firewall and unsafely connecting to the outside.
Ljubomir _______________________________________________
"local hackers" is a matter all on it's own :) I have seen many cases on clients networks where they use an expensive commercial firewall (brand doesn't matter here, but let's say for example Cyberoam, Cisco, HP etc) and still have problems with "hackers on the local LAN" cause they didn't think of setting up propper security on the LAN as well.
The fact is, you can use a Linux firwall with a single NIC, as long as you use different IP subnets and strong iptables rules to filter traffic properly between the 2 subnets.
another scenarion where this is used more and more these days is with virtualization, where you won't have different NIC's for each virtual server on the same physical server. The only way to firewall that traffic is to use iptables and VLAN's. And many many hosting companies use virtual hosting for their clients.