Firewall Wizards mailing list archives
Re: Using VLAN's in Firewall topologies
From: "Jan B. Koum " <jkb () best com>
Date: Wed, 28 Jul 1999 00:18:30 -0700
On Mon, Jul 26, 1999 at 06:14:07PM -0300, Ivan Arce <core.lists.firewall-wizards () core-sdi com> wrote:
CarlosCapmany Francoy wrote:l foresee another pro and con to this kind of topology: CON(s): First of all, there's an extra burden placed in the network administrator (and an extra degree of expertise). But most important, you must extend your security policy and procedures to cover also switch and vLAN administration, not only in terms of avoiding remote administration and the like, but also to control access, audit and triple-check any modification carried out in the switch configuration, including its routing functionality. Among others, you must be sure at every moment that routing is carried out exclusively by the firewall device in place (not by the RSM), no other systems can be (mis)placed in an existent vLAN without your knowledge, etc. Once a system is connected to a switch port, everything else depends on the switch (and RSM) configuration, so It is fairly easy to provoke unwanted or unexpected "logical shortcuts" that will avoid communication through the firewall (internal machine added to a DMZ vLAN, routing between DMZ and internal vLANs).And more to it.... even if there is no "mis" configuration, that is, if everything is configured correctly i'll refer to something that has been said over and over in the past years in this and other forums: The main design goal for a switch (altho. not the unique goal) is to optimize performance and increase thruoghput between the networked nodes, NOT to increase security. While i haven't seen any definite research paper detailing methods to purposely turn a switch into a hub-like device my general paranoid understanding is that it could be done and that the ways of doing it must be very vendor-model-firmware_version dependant. -- -------------------------------------------------------------------------------------------- Iván Arce <ivan () core-sdi com> Presidente CORE SDI S.A. Pte. Juan D. Peron 315 4to UF17 (1394) Buenos Aires, Argentina. TE/FAX: +54-11-43-31-54-02 +54-11-43-31-54-09 PGP fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A
I second what Ivan is saying. Here is a note I sent to our internal ops list about switches and security: ----------------------------------- I once in a while hear how switches protect us from a security point of things. I would like to stress yet again that switches are NOT security devices and are not designed with security in mind. So without any arp cache games, you are free to see that for yourself: # tcpdump -l -s 1500 -w - not host `hostname -s` and tcp |strings Granted, you will not get all that data (or even much), but with enough luck+time you can paste together some [maybe even using tcpslice(1)?] packets/sessions which will have important clear text in it. (yes, if you filter out ssh "and not port 22", you will get more usefull stuff and less junk). -- Yan P.S - You get more fun out of UDP with NetBIOS and NFS been clear text and all. ----------------------------------- Also, at a company I am doing security for now, when I just started the DMZ was a vlan as part of a normal network made up of HP swithces. Heh... That got changed rather fast into a physically separate cisco cat switch ;) -- Yan
Current thread:
- Using VLAN's in Firewall topologies btsec (Jul 20)
- Re: Using VLAN's in Firewall topologies Ge' Weijers (Jul 21)
- Re: Using VLAN's in Firewall topologies Kevin Steves (Jul 26)
- <Possible follow-ups>
- Re:Using VLAN's in Firewall topologies Dallas N Bishoff (Jul 21)
- Re: Using VLAN's in Firewall topologies CarlosCapmany Francoy (Jul 23)
- Re: Using VLAN's in Firewall topologies Ivan Arce (Jul 27)
- Re: Using VLAN's in Firewall topologies Jan B. Koum (Jul 29)
- Re: Using VLAN's in Firewall topologies Ivan Arce (Jul 27)