Re: Raptor Firewall and ISL/802.1q Trunking

[Lenard Lynch <llynch () jorsm com>]

I agree with Evan.

The whole "hybrid switch/router" device provides many options, but not always options that security professionals will 
want to exercise.  I do not know anyone personally that uses it, there are some interesting options under SDE 
(http://www.cisco.com/warp/public/537/6.html).

I should have stated more clearly that each VLSM subnet should be configured on it's own VLAN (making sure that VLAN 1 
is not used).  Access control is done at layer 3, and care should be taken when configuring the trunk port for the 
router, that is, unless you have enough physical router ports so that one is not needed.  Said another
way:  one trunk port for your physical router port, per physical switch (if you do not have a "switch/router" chassis) 
insures that a trunk will never exist between switches.  This provides "one arm routing" for your VLANs.  Since Cisco 
has made the design decision that a port can only belong to a single VLAN, to get a single router
port to do this routing for you, make the switch port a trunk and define a sub interface for each VLAN on the router's 
interface, setting the encapsulation type.  Also, care must be used when configuring the IP routing as well.

These are the reasons for even considering the use of a trunk:   scalablity, space considerations and cost control.

Dwaine's original question (it seemed to me) takes the next step (looking from the scalablity, etc perspective).  If 
the firewall can full fill the function of the router (terminate the IP route gateway address) this removes the 
requirement of having the router.

Now that we have discussed possibilities for providing connectivity, we need to discuss what countermeasures the design 
needs to provide.  It is entirely possible that a switch/router pair will not meet those needs.  In that case, a more 
costly solution will have to be adopted.

Evan Wagner wrote:

> VLANs are not very 'secure' particularly if trunking is involved.
>
> Here is an excellent SANS article that may be of help to you:
>
> http://www.sans.org/newlook/resources/IDFAQ/vlan.htm
>
> The recommendations state: "Try not to use VLANs as a mechanism for
> enforcing security policy. They are great for segmenting networks,
> reducing broadcasts and collisions and so forth, but not as a security
> tool.
>
> If you MUST use them in a security context, ensure that the trunking ports
> have a unique native VLAN number."
>
> --Evan
>
> On Sun, 4 Nov 2001, Lenard Lynch wrote:
>
> > firewall-wizards-request () nfr com wrote:
> >
> > > Message: 10
> > > From: "Dumisani, Dwaine" <dumisa1d () ncs gov>
> > > To: "'firewall-wizards () nfr net'" <firewall-wizards () nfr net>
> > > Date: Fri, 2 Nov 2001 16:25:30 -0500
> > > Subject: [fw-wiz] Raptor Firewall and ISL/802.1q Trunking
> > >
> > > Hi Wizards
> > >
> > > I have a basic question on VLANS, and firewalls:
> >
> > > I'm designing an NT LAN with a Cisco 2924 Catalyst Switch, and an NT server
> > > running Raptor 6.5.
> > >
> > > I want to create VLANS on the switch and run one trunk line to the Raptor
> > > server under ISL or 802.1q encapsulation.
> >
> > Depending on the desired goals, this design is interesting.  The real question is what is the best way to do 
> > security on the VLANs.  If you are using Cisco products, because the PIX does not support VLANs natively, they sell 
> > more routers, as you have to have a 1 arm router as the VLAN terminator.  Cisco clearly states that VLANs
> > are not to be used as the sole method for securing traffic, especially VLAN to VLAN.  However, if the VLANs are all 
> > terminated on the same switch, and you separate them using layer 3 routing/access control, this is highly 
> > effective.  So in the all-Cisco world, you have a 2924XL, a 26xx router, and a PIX firewall (flexible, but
> > costly, no?).
> .....

> > You should be able to control in and outbound access to and from the switched VLANs behind the firewall without a 
> > lot of problems.  If you need to be able to do VLAN based rules, as long as you specify that subnet range of the 
> > VLAN you configured, this should work.  You should be able to do host based rules as well.  Note, this
> > is all using layer 3 access control, nothing too fancy.
> >
> > >

--
Lenard Lynch  Networking/Security/UNIX/Systems Integration
"Everything should be as simple as possible-but no simpler." -Einstein


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards