Re: Raptor Firewall and ISL/802.1q Trunking

[Lenard Lynch <llynch () jorsm com>]

firewall-wizards-request () nfr com wrote:

> Message: 10
> From: "Dumisani, Dwaine" <dumisa1d () ncs gov>
> To: "'firewall-wizards () nfr net'" <firewall-wizards () nfr net>
> Date: Fri, 2 Nov 2001 16:25:30 -0500
> Subject: [fw-wiz] Raptor Firewall and ISL/802.1q Trunking
>
> Hi Wizards
>
> I have a basic question on VLANS, and firewalls:

> I'm designing an NT LAN with a Cisco 2924 Catalyst Switch, and an NT server
> running Raptor 6.5.
>
> I want to create VLANS on the switch and run one trunk line to the Raptor
> server under ISL or 802.1q encapsulation.

Depending on the desired goals, this design is interesting.  The real question is what is the best way to do security 
on the VLANs.  If you are using Cisco products, because the PIX does not support VLANs natively, they sell more 
routers, as you have to have a 1 arm router as the VLAN terminator.  Cisco clearly states that VLANs
are not to be used as the sole method for securing traffic, especially VLAN to VLAN.  However, if the VLANs are all 
terminated on the same switch, and you separate them using layer 3 routing/access control, this is highly effective.  
So in the all-Cisco world, you have a 2924XL, a 26xx router, and a PIX firewall (flexible, but
costly, no?).

Good luck finding a NIC that supports ISL trunking.  Cisco used to make these, but last time I checked they were 
nowhere to be found.  If you locate any, I'd be interested in knowing about it.  I have complained to Cisco about this 
several times.  If there was a good quality NIC that supported ISL, we could most likely get them
to put ISL into the PIX feature "roadmap".

802.1q is doable, but I have not experimented with the 2924XLs to know if the VLANs behave EXACTLY as they do in ISL 
mode.  If they do not, then design mitigation would have to be done.

Next terminating the VLANs on the firewall.  From the configuration guide that is available on the Symantec site, it 
does not confirm or deny that it can be done.  There is no mention of VLANs or 802.1q anywhere in the document.

If you are not already familiar with the product (I don't have any experience with it myself, but hope to someday), 
Netscreen be a product that is of interest.  http://www.netscreen.com/products/secure_vlan.html


> Can this be done? Can I simply insert an ISL-compatible NIC into the RAPTOR
> server and expect it to do what a firewall is supposed to do?

The Lucent Brick natively supports VLANs and has both VLAN rule sets and Host/subnet based rule sets.  Don't select it 
just because of the feature set, without fully testing it in a due diligence lab.  You maybe suprized at what it does 
and does not do.

In the Cisco scenario discussed above, do the IP addressing in subnets (VLSM), and make sure that the subnets cannot 
route to one another.  The PIX is not a good router.  I'm not familiar with the Raptor, but suspect that it is using 
the native WinNT routed, I have been told that this routed does not support VLSM routes (can
someone confirm?).  I can confirm that WinNT/2k when configured with static routes on VLSM boundaries works fine 
(persistent routes with 'route /p ....').

You should be able to control in and outbound access to and from the switched VLANs behind the firewall without a lot 
of problems.  If you need to be able to do VLAN based rules, as long as you specify that subnet range of the VLAN you 
configured, this should work.  You should be able to do host based rules as well.  Note, this
is all using layer 3 access control, nothing too fancy.

> thanks
>
> Sizwe Dumisani
>
> dumisa1d () ncs gov
> (703)607-4934 voice

Hope this helps,
--
Lenard Lynch  Networking/Security/UNIX/Systems Integration
"Everything should be as simple as possible-but no simpler." -Einstein


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards