Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Connecting networks securely with a switch

From: tweir () paradise net nz
Date: Tue, 12 Dec 2000 01:14:19 GMT

I neglected to mention that it is a Layer 3 swtich (Cisco 
6006), configured with all the secure options based on 
cisco and other guidance.  Any thoughts now?

From: "Brian Denehy" <B.Denehy () securegate net> 
Subject: Re: [fw-wiz] Connecting networks securely with a 
switch 

Repeat after me - a switch has no security enforcing 

function. Throw away

the firewall, it's not doing anything for you if you 

bypass it. There are

known attacks against switches which can't be fixed until 

the protocols

(particularly 802.1q) are fixed.



Original Message:

To: firewall-wizards () nfr com
From: tweir () paradise net nz
Subject: Connecting networks securely with a switch
Date: Mon, 11 Dec 2000 02:35:01 GMT
-----
Wizards,
I work for a large solutions company which wants to 

connect

a network that we have specifically created to our 

customers

networks via a firewall AND a switch in paralell.  The
reason for the parallel connections is that we intend to 

use

the firewall for X, ftp, telnet and some other systems
management protocols (Tivoli) and use the switch for 

backup

data requiring high (multi gig) throughput.  The switch 

will

be configured to allow only 2 ports for Tivoli Storage
Manager backup traffic.

So basic architecture is:
                 |-----------------------------------
                 |                                  |
                 |                                  |
Customer A |--Switch-----Backup Server-- |          |
           |--Firewall------------------ |(Mgmnt    |
                 |                       |Network)  |
                 |                       |          |
Customer B |-----|                                  |
    |-----------------------------------------

We have hardened the switch per all available guidance.
The reason we are using the switch rather than a high
powered firewall the throughput and the cost.

My questions are:
Has anyone implemented a similar architecture as this?
.. . if so do they consider it secure and have they taken 

any

other risk mitigation steps?
Is there a better way to do this?

Thanks
wizards





_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: