Recently I advised a fellow at fedoraforum not to connect the orange and green interfaces of an IPcop machine to the same switch. I gathered he wanted to do that in order to save money by not buying a second switch, primarily. To be honest, I didn't think it would work, but apparently it did. Well, at least he says it did, and I have no reason to disbelieve him. So I learned something. He connected his green and orange interfaces, each with a different subnet address of course, to a switch, then connected some FC5 clients to the same switch, configuring some of them on the green subnet and pointing to the green gateway, and the rest on orange network pointing to the orange gateway. Now IPcop and its ilk, as I understand them, base much of their security strength on maintaining separation among red, green, and orange networks. Orange is for a DMZ, green is for a protected LAN, and red faces the Internet. I'm not a network or security guru, but am I wrong in thinking that the fellow's green network is now highly vulnerable to ARP exploits from the orange side? As far as layer 2 is concerned, everything is on the same network, right? Are ARP exploits not in vogue anymore? Are there other security risks in doing things this way? Is it a pretty common and acceptable practice these days to connect multiple subnets through a single non-VLAN switch as a matter of convenience or economy? Thanks for your thoughts. Jay
