Re: Firewalling between T-1's, an ATM switch and a switched office

[m p <sumirati () yahoo de>]

 --- Steven Ackerman <ackerman_steven () yahoo com> schrieb: > Greetings,
> I work for a small network consulting firm. Security
> has not been researched or applied much prior to my
> arrival. I am trying to change that, although I have
> limited understanding and less experience.
>
> The person I work for directly is trying to setup a
> Watchguard box with content filtering between two
> switches and 4 t-1 lines. The setup is as follows:
>
> ATM switch with one incoming internet connection, 4
> t-1's on the inside (each goes to a different school),
> 2 Ethernet ports. One ethernet (eth 0) port has a
> cisco switch which connects another office. The second
> (eth1) ethernet port connects a watchgaurd box. The
> Watchgaurd box has 3 ethernet ports on it.
>
> My boss wants to route incoming traffic through the
> Eth0 port to the switch and then to the watchgaurd box
> and to the appropriate t-1/school and visa verse
> (sp?). It looks to me like this bypasses the firewall.
>
> Can this work through ACL's at the ATM switch?

Yes.

> Is this unsafe?

Compared to what?

> How can I explain this is unsafe to an admin
> that doesn't see how it is unsafe when he can use
> ACL's on source and destination IP's and ports?

First you have to understand how ATM works, before you can say something about
security. First of all - I don't know much about ATM (as your Joe Averange
Hacker will do).

ATM is some levels below IP. If you compare it with Ethernet it is the cable
and the CRC level of the device itself. But inside itself it is a full-sized
client-server application. On that you emulate your "normal" Ethernet network.

ATM works in that case like "pipes" through which the pakets _have_ to go. For
what I understand from ATM he will use LAN-E to make virtuell connects between
the ports. There is no way (if you don't have access to the ATM layer - which
means you are already in the network of the telco) to circumvent those ACLs in
the ATM layer.

If he speaks about ACLs for IP - he shouldn't. There are know ways to
circumvent them (because they are not stateful in the most cases). But no
switch that I know of have ACLs for IP (but I'm no network guy) - only the
routers I met.
A router with ACLs is a nice addition to a firewall system - but I won't put it
alone somewhere.

Hope that helps

Marc

PS: Some ASCII-art is nice to get a better picture. I thing your topology is:

Internet <-> ATM-Switch <-> 4 x T1

              ^       ^
              |       |
       Other office   |
                   Firewall

I hope that I understood that right.



__________________________________________________________________

Gesendet von Yahoo! Mail - http://mail.yahoo.de
Bis zu 100 MB Speicher bei http://premiummail.yahoo.de
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards