Host in DMZ can hijack an IP in the Green network

I figured that a host connected to the Orange interface can set its IP to something in the Green network range and get access to everything on the Green network, exactly like if it was connected to the Green interface.

Is it supposed to work this way?

If the Orange and Green network are separated as the should be no. If you connect all hosts into the same switch well…

In my case the host in the DMZ is directly connected to the Orange interface, no switch there.

I can only suggest you to try.
If you succeed, there’s something not optimal in your setup, because it should not happen.

You are right, there was a switch!

Without boring you with details the machine in the DMZ was a VM and I thought the physical NIC was passed through from the host but it was in fact sharing a bridge with the host.

Sorry for the noise.

This can happen if the network setup is not verified enough. Both phisical and virtual.

1 Like

Just using virtualisation needs more verification. The “cables” and “connection equipment” are more hidden than in a real installation.

I can agree with you.