Re: separating the servers on a switch

["Paul D. Robertson" <proberts () patriot net>]

On Thu, 12 Sep 2002, Shimon Silberschlag wrote:

> We want to control which server can talk to which other server (in the
> segment), utilizing one of the firewalls (lets say the uplink one).

Firewalls are generally layer 3 devices, you're attempting to control a 
layer 2 connection.  For that you need a tool that works at layer 2.

This leaves you with only a few options:

Filtering on each device
VLANs
VPNs

one hack (that's probably good enough- but not bullet-proof):

Static ARP tables:  ARP only the routers/firewalls and the devices each 
device needs to talk to into a static ARP table, and don't let the devices 
do dynamic ARP (or equally hackish, staticly ARP all the devices a server 
*doesn't* need to talk to to a non-existant address that isn't routed off 
the segment.)  You can do a cheesier version by subnetting and 
only putting devices which need to communicate on the same subnet and 
keeping subnet routes, but that assumes the sets don't overlap much- it's 
not going to stop an attacker from adding their own routes, but it'll stop 
casual stuff, and just supernet the segment on the firewalls. (I'd 
probably implement by making each device think it was on a /32 and then 
adding routes to the other /32s it needed to talk to- you could attempt to 
enforce that on a firewall if you made it the route, but understand it's 
relatively trivial to bypass.)

Finally, if you're mostly worried about TCP, you could span a port and put 
up a bridge that would send back RSTs for connection attempts outside of 
policy.  Not sure if it'd win the race every time though.

The _best_ solution is to seperate the devices at the correct layer, and 
have each zone communicate through a layer 3 device with appropriate 
rules.  When I had to do that, I'd load a Sun Ultra2 up with SBUS Quad 
Fast Ethernet (QFE) cards and route/firewall through that- if you need 
more than ~9 networks, you're probably trying to enforce an unenforcable 
policy.  These days, I'd be tempted to try the same thing on NetBSD with 
IPFilter and quad PCI cards (Given a fast PCI bus and cards that would 
run at full speed.)

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards