Firewall Wizards mailing list archives
Re: separating the servers on a switch
From: "Paul D. Robertson" <proberts () patriot net>
Date: Thu, 12 Sep 2002 09:58:08 -0400 (EDT)
On Thu, 12 Sep 2002, Shimon Silberschlag wrote:
We want to control which server can talk to which other server (in the segment), utilizing one of the firewalls (lets say the uplink one).
Firewalls are generally layer 3 devices, you're attempting to control a layer 2 connection. For that you need a tool that works at layer 2. This leaves you with only a few options: Filtering on each device VLANs VPNs one hack (that's probably good enough- but not bullet-proof): Static ARP tables: ARP only the routers/firewalls and the devices each device needs to talk to into a static ARP table, and don't let the devices do dynamic ARP (or equally hackish, staticly ARP all the devices a server *doesn't* need to talk to to a non-existant address that isn't routed off the segment.) You can do a cheesier version by subnetting and only putting devices which need to communicate on the same subnet and keeping subnet routes, but that assumes the sets don't overlap much- it's not going to stop an attacker from adding their own routes, but it'll stop casual stuff, and just supernet the segment on the firewalls. (I'd probably implement by making each device think it was on a /32 and then adding routes to the other /32s it needed to talk to- you could attempt to enforce that on a firewall if you made it the route, but understand it's relatively trivial to bypass.) Finally, if you're mostly worried about TCP, you could span a port and put up a bridge that would send back RSTs for connection attempts outside of policy. Not sure if it'd win the race every time though. The _best_ solution is to seperate the devices at the correct layer, and have each zone communicate through a layer 3 device with appropriate rules. When I had to do that, I'd load a Sun Ultra2 up with SBUS Quad Fast Ethernet (QFE) cards and route/firewall through that- if you need more than ~9 networks, you're probably trying to enforce an unenforcable policy. These days, I'd be tempted to try the same thing on NetBSD with IPFilter and quad PCI cards (Given a fast PCI bus and cards that would run at full speed.) Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- List stuff (administrivia) Paul Robertson (Sep 11)
- separating the servers on a switch Shimon Silberschlag (Sep 12)
- Re: separating the servers on a switch Paul D. Robertson (Sep 12)
- Re: separating the servers on a switch Jared Valentine (Sep 13)
- separating the servers on a switch Shimon Silberschlag (Sep 12)