Firewall Wizards mailing list archives
Use of single port aggregations to enhance security
From: Darren Reed <Darren.Reed () Sun COM>
Date: Wed, 06 Jan 2010 06:12:46 +1100
I'm curious if anyone has toyed with the idea of creating single port LACP aggregations on switches and connecting firewalls that also speak LACP to them. The purpose of this is that some (all?) switches will disable an aggregation port when LACP is not running, so the LACP protocol becomes something of a link-state protocol between the operating system and the switch. So what difference can this make? If you're using an operating system based firewall (Linux, BSD, Solaris), then depending on the order of the operating system enabling firewalls capabilities vs networking, there may be windows where packets are able to reach code paths that they weren't intended for because nic drivers start servicing packets quite early. However, nearly all of the above operating systems implement LACP in software. This means that there's a "knob" that can be used on the firewall host to control whether or not the switch sends stuff to the firewall, potentially allowing you to close that window (if it exists.) This might cause problems if you're doing some sort of out-of-band remote console over that port O:-> I admit that caring about this might require a special level of paranoia :) But the idea of being able to turn the tap off, rather than just pour what comes out of the hose down the drain, does have some merit O:) Darren _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Use of single port aggregations to enhance security Darren Reed (Jan 07)
- Re: Use of single port aggregations to enhance security Paul Melson (Jan 08)
- Re: Use of single port aggregations to enhance security ArkanoiD (Jan 11)
- Re: Use of single port aggregations to enhance security david (Jan 12)