Firewall Wizards mailing list archives

RE: Firewalls and 802.1q trunking

From: "Steve Evans" <sevans () foundation sdsu edu>
Date: Tue, 10 Dec 2002 12:49:09 -0800

And can you say that the traffic coming from the internet is the most
dangerous traffic on the network.  I've always understood that the vast
majority of the attacks come from the inside.

Steve Evans
SDSU Foundation
(619) 594-0653 

-----Original Message-----
From: David Pick [mailto:d.m.pick () qmul ac uk] 
Sent: Wednesday, November 27, 2002 11:40 AM
To: firewall-wizards () honor icsalabs com
Subject: Re: [fw-wiz] Firewalls and 802.1q trunking

My concern is that the "fan-out" boxes are typically 
run-of-the-mill switches, like Cisco Catalysts, that probably have 
been design without any security aspirations. I wouldn't be 
surprised if those switches could be attacked and tricked into 
leaking packets between VLANs.

A valid concern. My attitude is simple:
* If the switches are secure enough to keep VLANs seperated for  
normal traffic then they're secure enough to use as interfaces to 
your firewall
* If they're not, well, they're not!


I would submit that secure enough to manage traffic inside your 
trusted network is quite different from secure enough to define a 
security boundary.


I'm sorry, I probably wasn't explicit enough in what I said. What I
should have said was that I didn't think the fact that there was a
firewall involved mattered at all here; if a switch was judged secure
enough to have *all* the VLANs involved (internal
*and* external/dangerous) connected to it (and that's another argument
about which *I*'m very conservative as well!) *then* the fact that a
firewall is connected to the switch is not relevant; in the same way if
it it judged that one group of VLANs can share switch fabric then a
firewall interconnecting them can use a trunk link to that switch fabric
with no further loss of security.

-- 
        David Pick

_______________________________________________
firewall-wizards mailing list firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Firewalls and 802.1q trunking Eric Vyncke (Dec 04)
- Re: Firewalls and 802.1q trunking Luca Berra (Dec 04)
- <Possible follow-ups>
- Re: Firewalls and 802.1q trunking Steffen Kluge (Dec 04)
- RE: Firewalls and 802.1q trunking Steve Evans (Dec 10)
- RE: Firewalls and 802.1q trunking Marcus J. Ranum (Dec 11)
  - Re: Firewalls and 802.1q trunking Dragos Ruiu (Dec 12)
    - RE: Firewalls and 802.1q trunking Bill Royds (Dec 13)
  - Re: Firewalls and 802.1q trunking t (Dec 13)
- RE: Firewalls and 802.1q trunking Sloane, David (Dec 11)
  - RE: Firewalls and 802.1q trunking Marcus J. Ranum (Dec 12)
    - RE: Firewalls and 802.1q trunking R. DuFresne (Dec 13)
- Re: Firewalls and 802.1q trunking Mike Hoskins (Dec 14)
- Re: Firewalls and 802.1q trunking Brian Ford (Dec 15)