Actually, I was referring to non-routed VLANs, on the same switch(es), setup so that each ZEO Client has another NIC just to access that VLAN, which has no other traffic. I am currently setting up something like this, but I have the luxury of a dedicated NIC for this purpose (well, almost, I have udp heartbeats on this as well). I am trying to keep the ZEO server as isolated as possible from other networks. Forgive me if this is a dumb questions, but is there a way to bind the ZSS process to serve certain particular interfaces only? Sean -----Original Message----- From: Tino Wildenhain [mailto:tino@wildenhain.de] Sent: Friday, May 25, 2001 12:22 PM To: sean.upton@uniontrib.com; alet@unice.fr; bill@libc.org Cc: zope@zope.org Subject: RE: [Zope] Re: ZEO Client space was: Hi, --On Freitag, 25. Mai 2001 12:02 -0700 sean.upton@uniontrib.com wrote:
Right: there is no box root exploit issue, but if the ODB has a method that connects to your RDB and flushes out a table, in a non-transactional rdb, you are screwed if someone can, from an arbitrary client do this sort of thing.
Also, I would think that ZEO CS->ZSS type traffic would be best run on its own switched VLAN for security and performance reasons.
Vlans do not add considerable security. Since often the setup includes a firewall, one cant use them anyway in these cases. I think to solve the problem for arbitrary clients accessing ZODB we need an additionally layer on top of the application logic which can then be accessed via net using authorisation and such. We need this layer anyway for better application abstraction. But I fear this goes out of the scope of this thread. Regards Tino Wildenhain _______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )