Firewall Wizards mailing list archives
Re: Raptor Firewall and ISL/802.1q Trunking
From: Lenard Lynch <llynch () jorsm com>
Date: Tue, 06 Nov 2001 01:22:39 -0600
I agree with Evan. The whole "hybrid switch/router" device provides many options, but not always options that security professionals will want to exercise. I do not know anyone personally that uses it, there are some interesting options under SDE (http://www.cisco.com/warp/public/537/6.html). I should have stated more clearly that each VLSM subnet should be configured on it's own VLAN (making sure that VLAN 1 is not used). Access control is done at layer 3, and care should be taken when configuring the trunk port for the router, that is, unless you have enough physical router ports so that one is not needed. Said another way: one trunk port for your physical router port, per physical switch (if you do not have a "switch/router" chassis) insures that a trunk will never exist between switches. This provides "one arm routing" for your VLANs. Since Cisco has made the design decision that a port can only belong to a single VLAN, to get a single router port to do this routing for you, make the switch port a trunk and define a sub interface for each VLAN on the router's interface, setting the encapsulation type. Also, care must be used when configuring the IP routing as well. These are the reasons for even considering the use of a trunk: scalablity, space considerations and cost control. Dwaine's original question (it seemed to me) takes the next step (looking from the scalablity, etc perspective). If the firewall can full fill the function of the router (terminate the IP route gateway address) this removes the requirement of having the router. Now that we have discussed possibilities for providing connectivity, we need to discuss what countermeasures the design needs to provide. It is entirely possible that a switch/router pair will not meet those needs. In that case, a more costly solution will have to be adopted. Evan Wagner wrote:
VLANs are not very 'secure' particularly if trunking is involved. Here is an excellent SANS article that may be of help to you: http://www.sans.org/newlook/resources/IDFAQ/vlan.htm The recommendations state: "Try not to use VLANs as a mechanism for enforcing security policy. They are great for segmenting networks, reducing broadcasts and collisions and so forth, but not as a security tool. If you MUST use them in a security context, ensure that the trunking ports have a unique native VLAN number." --Evan On Sun, 4 Nov 2001, Lenard Lynch wrote:firewall-wizards-request () nfr com wrote:Message: 10 From: "Dumisani, Dwaine" <dumisa1d () ncs gov> To: "'firewall-wizards () nfr net'" <firewall-wizards () nfr net> Date: Fri, 2 Nov 2001 16:25:30 -0500 Subject: [fw-wiz] Raptor Firewall and ISL/802.1q Trunking Hi Wizards I have a basic question on VLANS, and firewalls:I'm designing an NT LAN with a Cisco 2924 Catalyst Switch, and an NT server running Raptor 6.5. I want to create VLANS on the switch and run one trunk line to the Raptor server under ISL or 802.1q encapsulation.Depending on the desired goals, this design is interesting. The real question is what is the best way to do security on the VLANs. If you are using Cisco products, because the PIX does not support VLANs natively, they sell more routers, as you have to have a 1 arm router as the VLAN terminator. Cisco clearly states that VLANs are not to be used as the sole method for securing traffic, especially VLAN to VLAN. However, if the VLANs are all terminated on the same switch, and you separate them using layer 3 routing/access control, this is highly effective. So in the all-Cisco world, you have a 2924XL, a 26xx router, and a PIX firewall (flexible, but costly, no?)......
You should be able to control in and outbound access to and from the switched VLANs behind the firewall without a lot of problems. If you need to be able to do VLAN based rules, as long as you specify that subnet range of the VLAN you configured, this should work. You should be able to do host based rules as well. Note, this is all using layer 3 access control, nothing too fancy.
-- Lenard Lynch Networking/Security/UNIX/Systems Integration "Everything should be as simple as possible-but no simpler." -Einstein _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Raptor Firewall and ISL/802.1q Trunking Dumisani, Dwaine (Nov 03)
- <Possible follow-ups>
- Re: Raptor Firewall and ISL/802.1q Trunking Lenard Lynch (Nov 05)
- Re: Raptor Firewall and ISL/802.1q Trunking Evan Wagner (Nov 06)
- Re: Raptor Firewall and ISL/802.1q Trunking Lenard Lynch (Nov 06)
- Re: Raptor Firewall and ISL/802.1q Trunking Evan Wagner (Nov 06)