Re: Firewalls and 802.1q trunking

[David Pick <d.m.pick () qmul ac uk>]

> > > My concern is that the "fan-out" boxes are typically run-of-the-mill
> > > switches, like Cisco Catalysts, that probably have been design without
> > > any security aspirations. I wouldn't be surprised if those switches
> > > could be attacked and tricked into leaking packets between VLANs.
>
> > A valid concern. My attitude is simple:
> > * If the switches are secure enough to keep VLANs seperated for
> > normal traffic then they're secure enough to use as interfaces
> > to your firewall
> > * If they're not, well, they're not!
>
> I would submit that secure enough to manage traffic inside your trusted
> network is quite different from secure enough to define a security
> boundary.

I'm sorry, I probably wasn't explicit enough in what I said. What
I should have said was that I didn't think the fact that there
was a firewall involved mattered at all here; if a switch was
judged secure enough to have *all* the VLANs involved (internal
*and* external/dangerous) connected to it (and that's another
argument about which *I*'m very conservative as well!) *then*
the fact that a firewall is connected to the switch is not
relevant; in the same way if it it judged that one group of
VLANs can share switch fabric then a firewall interconnecting
them can use a trunk link to that switch fabric with no further
loss of security.

-- 
        David Pick

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards