Firewall Wizards mailing list archives
Re: Firewalls and 802.1q trunking
From: David Pick <d.m.pick () qmul ac uk>
Date: Wed, 27 Nov 2002 19:40:12 +0000
My concern is that the "fan-out" boxes are typically run-of-the-mill switches, like Cisco Catalysts, that probably have been design without any security aspirations. I wouldn't be surprised if those switches could be attacked and tricked into leaking packets between VLANs.A valid concern. My attitude is simple: * If the switches are secure enough to keep VLANs seperated for normal traffic then they're secure enough to use as interfaces to your firewall * If they're not, well, they're not!I would submit that secure enough to manage traffic inside your trusted network is quite different from secure enough to define a security boundary.
I'm sorry, I probably wasn't explicit enough in what I said. What I should have said was that I didn't think the fact that there was a firewall involved mattered at all here; if a switch was judged secure enough to have *all* the VLANs involved (internal *and* external/dangerous) connected to it (and that's another argument about which *I*'m very conservative as well!) *then* the fact that a firewall is connected to the switch is not relevant; in the same way if it it judged that one group of VLANs can share switch fabric then a firewall interconnecting them can use a trunk link to that switch fabric with no further loss of security. -- David Pick _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Firewalls and 802.1q trunking Steffen Kluge (Nov 26)
- Re: Firewalls and 802.1q trunking Two Dog Flats (Nov 26)
- Re: Firewalls and 802.1q trunking Carson Gaspar (Nov 26)
- Re: Firewalls and 802.1q trunking David Pick (Nov 27)
- Re: Firewalls and 802.1q trunking ark (Nov 27)
- Re: Firewalls and 802.1q trunking R. DuFresne (Nov 27)
- Re: Firewalls and 802.1q trunking Jonn Martell (Nov 27)
- <Possible follow-ups>
- Re: Firewalls and 802.1q trunking Pearsall, Jim (Nov 27)
- Re: Firewalls and 802.1q trunking David Pick (Nov 27)
- Re: Firewalls and 802.1q trunking Stephen Gill (Nov 27)