Re: Worms, Air Gaps and Responsibility

[Mason <hr824 () sunwave net>]

On May 5, 2004 09:11 am, Rogan Dawes wrote:
> On a related note, I've been thinking quite a lot about having switches
> perform firewall tasks. I see no reason why it should not be possible to
> classify ports into groups such as "server" and "desktop" (at a
> minimum), and apply appropriate filtering rules between the groups.
>
> e.g. desktops may only talk to servers, not to each other.
It should be possible to put each host (port) in it's own vlan and trunk all 
traffic to a gateway/firewall (I am planning to do this with  a linux box and 
an old cisco cat1924).  I wouldn't want to try this on a large network, but I 
plan to do this for a small repair bench that can have up to 10 PCs on it 
simultaneously.  I have had to resort to this because boxes that come in for 
repair tend to chat amongst themselves... :P

wrt
> classify ports into groups such as "server" and "desktop"
I use an iptables firewall configuration interface called shorewall 
(www.shorewall.net) for all my basic quicky firewall stuff.  With shorewall, 
I should be able to configure a single "zone" that will include all my vlan 
interfaces (each vlan on the switch corresponds to a vlan interface on the 
linux box). Then all I will need to setup is a ruleset (in addition to basic 
antispoofing rules, NAT, etc) that says "bench" can talk to windowsupdate and 
online virus scanners, the "worm laden internet" cannot talk to the PCs, and 
no routing is permitted between vlan interfaces.

--
Mason Schmitt
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards