Firewall Wizards mailing list archives
Re: Raptor Firewall and ISL/802.1q Trunking
From: Lenard Lynch <llynch () jorsm com>
Date: Sun, 04 Nov 2001 22:28:29 -0600
firewall-wizards-request () nfr com wrote:
Message: 10 From: "Dumisani, Dwaine" <dumisa1d () ncs gov> To: "'firewall-wizards () nfr net'" <firewall-wizards () nfr net> Date: Fri, 2 Nov 2001 16:25:30 -0500 Subject: [fw-wiz] Raptor Firewall and ISL/802.1q Trunking Hi Wizards I have a basic question on VLANS, and firewalls:
I'm designing an NT LAN with a Cisco 2924 Catalyst Switch, and an NT server running Raptor 6.5. I want to create VLANS on the switch and run one trunk line to the Raptor server under ISL or 802.1q encapsulation.
Depending on the desired goals, this design is interesting. The real question is what is the best way to do security on the VLANs. If you are using Cisco products, because the PIX does not support VLANs natively, they sell more routers, as you have to have a 1 arm router as the VLAN terminator. Cisco clearly states that VLANs are not to be used as the sole method for securing traffic, especially VLAN to VLAN. However, if the VLANs are all terminated on the same switch, and you separate them using layer 3 routing/access control, this is highly effective. So in the all-Cisco world, you have a 2924XL, a 26xx router, and a PIX firewall (flexible, but costly, no?). Good luck finding a NIC that supports ISL trunking. Cisco used to make these, but last time I checked they were nowhere to be found. If you locate any, I'd be interested in knowing about it. I have complained to Cisco about this several times. If there was a good quality NIC that supported ISL, we could most likely get them to put ISL into the PIX feature "roadmap". 802.1q is doable, but I have not experimented with the 2924XLs to know if the VLANs behave EXACTLY as they do in ISL mode. If they do not, then design mitigation would have to be done. Next terminating the VLANs on the firewall. From the configuration guide that is available on the Symantec site, it does not confirm or deny that it can be done. There is no mention of VLANs or 802.1q anywhere in the document. If you are not already familiar with the product (I don't have any experience with it myself, but hope to someday), Netscreen be a product that is of interest. http://www.netscreen.com/products/secure_vlan.html
Can this be done? Can I simply insert an ISL-compatible NIC into the RAPTOR server and expect it to do what a firewall is supposed to do?
The Lucent Brick natively supports VLANs and has both VLAN rule sets and Host/subnet based rule sets. Don't select it just because of the feature set, without fully testing it in a due diligence lab. You maybe suprized at what it does and does not do. In the Cisco scenario discussed above, do the IP addressing in subnets (VLSM), and make sure that the subnets cannot route to one another. The PIX is not a good router. I'm not familiar with the Raptor, but suspect that it is using the native WinNT routed, I have been told that this routed does not support VLSM routes (can someone confirm?). I can confirm that WinNT/2k when configured with static routes on VLSM boundaries works fine (persistent routes with 'route /p ....'). You should be able to control in and outbound access to and from the switched VLANs behind the firewall without a lot of problems. If you need to be able to do VLAN based rules, as long as you specify that subnet range of the VLAN you configured, this should work. You should be able to do host based rules as well. Note, this is all using layer 3 access control, nothing too fancy.
thanks Sizwe Dumisani dumisa1d () ncs gov (703)607-4934 voice
Hope this helps, -- Lenard Lynch Networking/Security/UNIX/Systems Integration "Everything should be as simple as possible-but no simpler." -Einstein _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Raptor Firewall and ISL/802.1q Trunking Dumisani, Dwaine (Nov 03)
- <Possible follow-ups>
- Re: Raptor Firewall and ISL/802.1q Trunking Lenard Lynch (Nov 05)
- Re: Raptor Firewall and ISL/802.1q Trunking Evan Wagner (Nov 06)
- Re: Raptor Firewall and ISL/802.1q Trunking Lenard Lynch (Nov 06)
- Re: Raptor Firewall and ISL/802.1q Trunking Evan Wagner (Nov 06)