Re: Using VLAN's in Firewall topologies

["Jan B. Koum " <jkb () best com>]

On Mon, Jul 26, 1999 at 06:14:07PM -0300, Ivan Arce <core.lists.firewall-wizards () core-sdi com> wrote:
> CarlosCapmany Francoy wrote:
>
> > l foresee another pro and con to this kind of topology:
> >
> >
> > CON(s): First of all, there's an extra burden placed in the network
> > administrator (and an extra degree of expertise). But most important, you must
> > extend your security policy and procedures to cover also switch and vLAN
> > administration, not only in terms of avoiding remote administration and the
> > like, but also to control access, audit and triple-check any modification
> > carried out in the switch configuration, including its routing functionality.
> > Among others, you must be sure at every moment that routing is carried out
> > exclusively by the firewall device in place (not by the RSM), no other systems
> > can be (mis)placed in an existent vLAN without your knowledge, etc. Once a
> > system is connected to a switch port, everything else depends on the switch
> > (and RSM) configuration, so It is fairly easy to provoke unwanted or unexpected
> > "logical shortcuts" that will avoid communication through the firewall
> > (internal machine added to a DMZ vLAN, routing between DMZ and internal vLANs).
>
> And more to it....
> even if there is no "mis" configuration, that is, if everything is configured
> correctly i'll
> refer to something that has been said over and over in the past years in this and
> other forums:
>
> The main design goal for a switch (altho. not the unique goal) is to optimize
> performance
> and increase thruoghput between the networked nodes, NOT to increase security.
> While i haven't seen any definite research paper detailing methods to purposely
> turn a switch into
>  a hub-like device my general paranoid understanding is that it could be done and
> that the ways
> of doing it must be very vendor-model-firmware_version dependant.
>
>
> --
> --------------------------------------------------------------------------------------------
>
>  Iván Arce <ivan () core-sdi com>
>  Presidente
>  CORE SDI S.A.
>  Pte. Juan D. Peron 315 4to UF17 (1394) Buenos Aires, Argentina.
>  TE/FAX: +54-11-43-31-54-02 +54-11-43-31-54-09
>  PGP fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A


        I second what Ivan is saying. Here is a note I sent to our internal
ops list about switches and security:


-----------------------------------
    I once in a while hear how switches protect us from a security point of
    things. I would like to stress yet again that switches are NOT security
    devices and are not designed with security in mind.

    So without any arp cache games, you are free to see that for yourself:

# tcpdump -l -s 1500 -w - not host `hostname -s` and tcp |strings

    Granted, you will not get all that data (or even much), but with enough
    luck+time you can paste together some [maybe even using tcpslice(1)?]
    packets/sessions which will have important clear text in it. (yes, if
    you filter out ssh "and not port 22", you will get more usefull stuff
    and less junk).

-- Yan

P.S - You get more fun out of UDP with NetBIOS and NFS been clear text and all.
-----------------------------------


        Also, at a company I am doing security for now, when I just started
the DMZ was a vlan as part of a normal network made up of HP swithces. Heh...
That got changed rather fast into a physically separate cisco cat switch ;)

-- Yan