Re: Layer 4 switch vs. firewall

["istong" <istong () zuniversity com>]

I'm curious what you mean when you say that if you are physically present
you can get around vlan'd switches.   I've always thought vlans were secure.
I.E.  traffic from one vlan cannot get to another vlan.  As for physical
security there are several options depending on your make of equipment to
secure it.

For example I routinely disable ports that are not used - to prevent someone
from just plugging in and gaining access to the network.   Additionally I
set the port to dynamically learn the mac address of devices.  Once learned
if you try to connect a different device to that port - the port disables
itself.

Are there other aspects relating to VLAN's and security that come to mind?


Ian


----- Original Message -----
From: "Tony Miedaner" <miedaner () twcny rr com>
To: "kince@hvbs" <kursat.ince () hvbs havelsan com tr>;
<firewall-wizards () nfr net>
Sent: Thursday, February 15, 2001 9:40 AM
Subject: Re: [fw-wiz] Layer 4 switch vs. firewall


> It depends on what you are protecting doesn't it.
>
> If you are physically present, VLAN'd Switches alone are easy to get
around.
> Layer 3/4 access lists are also easy to get around - change your IP and
> hookup to the right port and you are talking to something.
>
> If your goal is improve LAN performance and get limited visibility to
> sniffers and the like. A switch will work fine, but I am hesitant to
totally
> rely on switch security.
>
> If the environment is secure and subnetting is well defined by geography
> (i.e., dept.) the L3/4 access list provides as much protection as a router
> with ACL's would.  But this goes against VLAN'ing.
>
> Also my experience is that switches are difficult to manage (not to
mention
> access lists in general) - too easy to make a mistake.
> Also I do believe that some switches do have the ability to tie MACs to IP
> hard. but this is probably a management nightmare.
>
> That's my 2 cents.
>
> ----- Original Message -----
> From: "kince@hvbs" <kursat.ince () hvbs havelsan com tr>
> To: "Firewall Wizards" <firewall-wizards () nfr com>
> Cc: "Özgür Ergül" <ozgur () tis havelsan com tr>
> Sent: Wednesday, February 14, 2001 3:22 AM
> Subject: [fw-wiz] Layer 4 switch vs. firewall
>
>
> > Hi there,
> >
> > I have a question which I couldn't find an answer.
> >
> > Our LAN w/ 500+ computers (mostly PCs. Sun servers and NT servers also
> > exist). We want some kind of separation (and security) b/w the
departments
> > of the company.
> >
> > Shall we use a layer 3/4 switch or a firewall we couldn't decide.
> >
> > Can anybody compare layer 3/4 switches w/ firewalls w/ stateful
inspection
> > using the following criteria:
> >
> > * Management
> > * Thruput
> > * Access control
> > * Logging
> > * Availability
> > * Address translation
> > * Any other useful criteria
> >
> > Thank you in advance
> >
> > Kursat INCE
> > kince () tis havelsan com tr
> >
> >
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards () nfr com
> > http://www.nfr.com/mailman/listinfo/firewall-wizards
>
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://www.nfr.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards