On Mon, Jul 27, 2015 at 7:37 AM, Christian Weisgerber <[email protected]> wrote: > On 2015-07-27, Quartz <[email protected]> wrote: > >> Some years ago I remember reading that when using OpenBSD (or any OS, >> really) as a router+firewall it was considered inadvisable from a >> security standpoint to have the different networks all attached to a >> single network card with multiple ethernet ports. The thinking being >> that it was theoretically possible for an attacker to exploit bugs in >> the card's chip to short circuit the path and route packets directly >> across the card in a way pf can't control. It was also suggested that in >> addition to using different physical cards, the cards should really use >> different chipsets too, in case an unknown driver bug allows a short >> circuit. > > Those are not realistic concerns.
Intel 82574L packet of death comes to mind as one example of a bug in the EEPROM that allowed an attacker to bring down an interface: http://blog.krisk.org/2013/02/packets-of-death.html These days you have "bypass" features in hardware that allow packets to flow from one interface to another even if the firewall is turned off. Who knows what other bugs in such functionality will be discovered in the future? Having said that, just throwing random chipsets into the mix is probably not the right solution. You may actually be increasing your attack surface. If this is a real concern for you, I think multiple firewalls, one behind the other (and using different chipsets, if you really want to), is a better way to go.
