Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: switches in a fw environment

From: Mark Coleman <mcoleman () borg pulsenet com>
Date: Wed, 01 Jul 1998 15:22:40 -0400
Gerhard Mezger wrote:


How do you feel about the usage of switches interconnecting different
security domains? To illustrate my question let's take a look at a
very


Hi.  Long time listener, first time caller.  Here is my 2 cents:

I looked into the VLAN issue because a customer wanted to create a small
VLAN in a Xyplex switch to contain his DMZ.  My opinion was this: the
Xyplex is managed via IP and this puts you at the mercy of trusting the
switch manufacturer's code to prevent someone from getting in and
joining up the VLANs thus bypassing the firewall altogether.  Not just
via management but also through back doors and manufacturer-specific
exploits in the operating code.  (Remember those default passwords in
the ROMs of the other vendors switches?)  My opinion: don't do it.

Also remember that it is known that you can get around the layer 2
segragation by flooding a switch's tables forcing it into a "forwarding
mode" that starts passing all data everywhere.  Just get an independant
switch or a standalone hub for your DMZ.

-Mark Coleman
-Network Access Corporation
--------------------------------------
(Original message follows)
ow do you feel about the usage of switches interconnecting different
security domains? To illustrate my question let's take a look at a
very
simplified Internet connection:


              PR   -----------  Firewall --------- internal net (S)
                                   !
                                   !
                                  WEB

PR=Provider Router;  WEB=Webserver in DMZ;   S=System in the internal
net (running critical appliacations).

Internet users are only allowed to access the Webserver; access from
the

internal net to the Internet is very restricted. So far the logical
layout. Letns now look at a possible physical implementation using
VLANs:


                             Firewall
                               !  !  !  vlans 1 2 3
                            +---------+
               PR---------- !  Switch !-----------S
             vlan1          +---------+  vlan3
                                  !
                            vlan2 !
                                  !
                                WEB

I am not sure about the security risk imposed by a central switch
especially because the management of the switch will be done over a
(separate) VLAN. I am searching for arguments to become either more
comfortable with this solution or to have strong technical arguments
against it.

Your input is highly appreciated
Gerhard

(end quote)
Previous By Date Next
Previous By Thread Next

Current thread: