Penetration Testing mailing list archives
Re: Clueless firewall configuration ?
From: John Kinsella <jlk () thrashyour com>
Date: Fri, 11 Aug 2006 08:13:18 -0700
On Fri, Aug 11, 2006 at 10:08:09PM +0200, cableguy clueless wrote:
2 cisco 6509 each with firewall blade in them. These function as core switches for a 1000 users site with lots of vlans and FW roules between the vlans (oh and we are a big production site that relies on these cores to let our ciritical bussiness process machines communicate to the servers). He wants to create 2 vlans, 1 for untrusted traffic and 1 vlan for DMZ machines and assign physical ports to these to connect to the internet. The DMZ vlan would also have some physical ports. These ports would not be on the core switch but on the access layer switches that are fiber attached to the distribution switches that attach to the cores...
I actually architected something vaguely similar for a large retailer last year, although there were about 50 vlans total and several other layers of security as well (edge filtering egres/ingres, separate vendor and employee vpns, etc). So with that background, I'll comment a bit: Looking just at the vlan part, there is in theory the ability to "jump" vlans (well covered topic on securityfocus lists). I would probably consider spitting the DMZs off before they hit the cats, either routed to a different port on the edge devices, or a firewall (different brand might be of interest, depeding on paranoia) sitting in front of the cats. Depends on value of the rest of the network and it's contents. Tradeoff here is more hardware to purchase, architect, manage, and more potential points of failure. Looking at it from a DOS point of view, if there is significant traffic levels flowing through the switches, the designer must be aware of design details such as how many ports per ASIC and backplane bandwidth for the supervisor card being used. Otherwise packets can be dropped under heavy enough loads (I've seen that at a different site, it was ugly and cost millions in revenue - not my design :) ). Hopefully the cores have been hardened, telnet turned off, real passwords set, good versions of IOS, etc. I'd say the easiest attacks against those devices would be if the operational aspects haven't been well executed. John ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details. ------------------------------------------------------------------------------
Current thread:
- Clueless firewall configuration ? cableguy clueless (Aug 11)
- Re: Clueless firewall configuration ? Tim (Aug 11)
- Re: Clueless firewall configuration ? John Kinsella (Aug 12)
- Re: Clueless firewall configuration ? Chris Byrd (Aug 12)
- Re: Clueless firewall configuration ? John Kinsella (Aug 13)
- Re: Clueless firewall configuration ? John Kinsella (Aug 12)
- Re: Clueless firewall configuration ? PC (Aug 12)
- Re: Clueless firewall configuration ? okrehel (Aug 15)
- RE: Clueless firewall configuration ? Ng, Kenneth (US) (Aug 15)
- RE: Clueless firewall configuration ? Smith, Michael J. (Aug 16)
- RE: Clueless firewall configuration ? Ng, Kenneth (US) (Aug 18)
- RE: Clueless firewall configuration ? Smith, Michael J. (Aug 16)
- <Possible follow-ups>
- RE: Clueless firewall configuration ? Shenk, Jerry A (Aug 11)
- Re: Clueless firewall configuration ? s-williams (Aug 12)
- RE: Clueless firewall configuration ? Gonenc, Ozan (Aug 14)
- Re: Clueless firewall configuration ? Tim (Aug 11)