Firewall Wizards mailing list archives
RE: Firewalls and 802.1q trunking
From: "Steve Evans" <sevans () foundation sdsu edu>
Date: Tue, 10 Dec 2002 12:49:09 -0800
And can you say that the traffic coming from the internet is the most dangerous traffic on the network. I've always understood that the vast majority of the attacks come from the inside. Steve Evans SDSU Foundation (619) 594-0653 -----Original Message----- From: David Pick [mailto:d.m.pick () qmul ac uk] Sent: Wednesday, November 27, 2002 11:40 AM To: firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] Firewalls and 802.1q trunking
My concern is that the "fan-out" boxes are typically run-of-the-mill switches, like Cisco Catalysts, that probably have been design without any security aspirations. I wouldn't be surprised if those switches could be attacked and tricked into leaking packets between VLANs.A valid concern. My attitude is simple: * If the switches are secure enough to keep VLANs seperated for normal traffic then they're secure enough to use as interfaces to your firewall * If they're not, well, they're not!I would submit that secure enough to manage traffic inside your trusted network is quite different from secure enough to define a security boundary.
I'm sorry, I probably wasn't explicit enough in what I said. What I should have said was that I didn't think the fact that there was a firewall involved mattered at all here; if a switch was judged secure enough to have *all* the VLANs involved (internal *and* external/dangerous) connected to it (and that's another argument about which *I*'m very conservative as well!) *then* the fact that a firewall is connected to the switch is not relevant; in the same way if it it judged that one group of VLANs can share switch fabric then a firewall interconnecting them can use a trunk link to that switch fabric with no further loss of security. -- David Pick _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Firewalls and 802.1q trunking Eric Vyncke (Dec 04)
- Re: Firewalls and 802.1q trunking Luca Berra (Dec 04)
- <Possible follow-ups>
- Re: Firewalls and 802.1q trunking Steffen Kluge (Dec 04)
- RE: Firewalls and 802.1q trunking Steve Evans (Dec 10)
- RE: Firewalls and 802.1q trunking Marcus J. Ranum (Dec 11)
- Re: Firewalls and 802.1q trunking Dragos Ruiu (Dec 12)
- RE: Firewalls and 802.1q trunking Bill Royds (Dec 13)
- Re: Firewalls and 802.1q trunking t (Dec 13)
- Re: Firewalls and 802.1q trunking Dragos Ruiu (Dec 12)
- RE: Firewalls and 802.1q trunking Sloane, David (Dec 11)
- RE: Firewalls and 802.1q trunking Marcus J. Ranum (Dec 12)
- RE: Firewalls and 802.1q trunking R. DuFresne (Dec 13)
- RE: Firewalls and 802.1q trunking Marcus J. Ranum (Dec 12)
- Re: Firewalls and 802.1q trunking Mike Hoskins (Dec 14)
- Re: Firewalls and 802.1q trunking Brian Ford (Dec 15)