Firewall Wizards mailing list archives
Re: Using VLAN's in Firewall topologies
From: Ivan Arce <core.lists.firewall-wizards () core-sdi com>
Date: 26 Jul 1999 18:14:07 -0300
CarlosCapmany Francoy wrote:
l foresee another pro and con to this kind of topology: CON(s): First of all, there's an extra burden placed in the network administrator (and an extra degree of expertise). But most important, you must extend your security policy and procedures to cover also switch and vLAN administration, not only in terms of avoiding remote administration and the like, but also to control access, audit and triple-check any modification carried out in the switch configuration, including its routing functionality. Among others, you must be sure at every moment that routing is carried out exclusively by the firewall device in place (not by the RSM), no other systems can be (mis)placed in an existent vLAN without your knowledge, etc. Once a system is connected to a switch port, everything else depends on the switch (and RSM) configuration, so It is fairly easy to provoke unwanted or unexpected "logical shortcuts" that will avoid communication through the firewall (internal machine added to a DMZ vLAN, routing between DMZ and internal vLANs).
And more to it.... even if there is no "mis" configuration, that is, if everything is configured correctly i'll refer to something that has been said over and over in the past years in this and other forums: The main design goal for a switch (altho. not the unique goal) is to optimize performance and increase thruoghput between the networked nodes, NOT to increase security. While i haven't seen any definite research paper detailing methods to purposely turn a switch into a hub-like device my general paranoid understanding is that it could be done and that the ways of doing it must be very vendor-model-firmware_version dependant. -- -------------------------------------------------------------------------------------------- Iván Arce <ivan () core-sdi com> Presidente CORE SDI S.A. Pte. Juan D. Peron 315 4to UF17 (1394) Buenos Aires, Argentina. TE/FAX: +54-11-43-31-54-02 +54-11-43-31-54-09 PGP fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A --------------------------------------------------------------------------------------------
Current thread:
- Using VLAN's in Firewall topologies btsec (Jul 20)
- Re: Using VLAN's in Firewall topologies Ge' Weijers (Jul 21)
- Re: Using VLAN's in Firewall topologies Kevin Steves (Jul 26)
- <Possible follow-ups>
- Re:Using VLAN's in Firewall topologies Dallas N Bishoff (Jul 21)
- Re: Using VLAN's in Firewall topologies CarlosCapmany Francoy (Jul 23)
- Re: Using VLAN's in Firewall topologies Ivan Arce (Jul 27)
- Re: Using VLAN's in Firewall topologies Jan B. Koum (Jul 29)
- Re: Using VLAN's in Firewall topologies Ivan Arce (Jul 27)