Firewall Wizards mailing list archives
Re: Firewalls and 802.1q trunking
From: "Stephen Gill" <gillsr () yahoo com>
Date: Wed, 27 Nov 2002 14:00:44 -0600
] Having just addressed this topic a while ago, I found the following ] study: ] http://www.sans.org/newlook/resources/IDFAQ/vlan.htm ] I have personally seen other brands of switches exhibit the same behavior. ] Overall, VLANS are a great technology, but they shouldn't be used for ] high-risk network segments. A couple of things to keep in mind are that this study is now over two years old and it can be mitigated w/ proper design and config. One example: http://www.qorbit.net/documents/catalyst-secure-template.pdf http://www.qorbit.net/documents/catalyst-secure-template.htm ] > Hi everyone, ] > I'd like to solicit your opinion on the popular trend of equipping ] > firewalls with (almost) arbitrary numbers of interfaces by means of ] > VLAN trunking. Many FW vendors (including Nokia, NetScreen, and the ] > like) are going down that path. I very much like this capability and it makes it much easier to scale. ] > My concern is that the "fan-out" boxes are typically run-of-the-mill ] > switches, like Cisco Catalysts, that probably have been design without ] > any security aspirations. I wouldn't be surprised if those switches ] > could be attacked and tricked into leaking packets between VLANs. You control the switches therefore you should also secure them. Properly secured there should be no issues. ] > Are there any studies devoted to this issue, or reports of successful ] > attacks against 802.1q separation that I should be aware of? Only ones that can be mitigated. ] > In our environment we use firewalls with rather large numbers of ] > interfaces (typically 15 ~ 25), mostly based on Xylan switches running ] > FW-1. This product line has disappeared now and all alternative ] > solutions seem to be relying on VLAN trunking. Wow! I didn't know people were still using these. We moved off of these a few years ago and migrated to Nokia IP 650's at the time with 20 (physical) interfaces per box. It seemed to be a good fit. ] > I'm not comfortable with the idea yet, but I wasn't comfortable with ] > the Xylan switches in the beginning, either. I'd like to think I'm too ] > paranoid, but then, that's my job... Yeah, firewalling on these switches doesn't perform very well. We were only getting about 5MB firewall throughput with our configurations and large rulesets. Cheers, -- steve _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Firewalls and 802.1q trunking Steffen Kluge (Nov 26)
- Re: Firewalls and 802.1q trunking Two Dog Flats (Nov 26)
- Re: Firewalls and 802.1q trunking Carson Gaspar (Nov 26)
- Re: Firewalls and 802.1q trunking David Pick (Nov 27)
- Re: Firewalls and 802.1q trunking ark (Nov 27)
- Re: Firewalls and 802.1q trunking R. DuFresne (Nov 27)
- Re: Firewalls and 802.1q trunking Jonn Martell (Nov 27)
- <Possible follow-ups>
- Re: Firewalls and 802.1q trunking Pearsall, Jim (Nov 27)
- Re: Firewalls and 802.1q trunking David Pick (Nov 27)
- Re: Firewalls and 802.1q trunking Stephen Gill (Nov 27)