Firewall Wizards mailing list archives
Re: Firewalls and 802.1q trunking
From: Two Dog Flats <j3ff9ack () yahoo com>
Date: Tue, 26 Nov 2002 17:54:45 -0800 (PST)
Having just addressed this topic a while ago, I found the following study: http://www.sans.org/newlook/resources/IDFAQ/vlan.htm I have personally seen other brands of switches exhibit the same behavior. Overall, VLANS are a great technology, but they shouldn't be used for high-risk network segments. -- Jeff Pack j3ff9ack () yahoo com --- Steffen Kluge <kluge () fujitsu com au> wrote:
Hi everyone, I'd like to solicit your opinion on the popular trend of equipping firewalls with (almost) arbitrary numbers of interfaces by means of VLAN trunking. Many FW vendors (including Nokia, NetScreen, and the like) are going down that path. My concern is that the "fan-out" boxes are typically run-of-the-mill switches, like Cisco Catalysts, that probably have been design without any security aspirations. I wouldn't be surprised if those switches could be attacked and tricked into leaking packets between VLANs. Are there any studies devoted to this issue, or reports of successful attacks against 802.1q separation that I should be aware of? In our environment we use firewalls with rather large numbers of interfaces (typically 15 ~ 25), mostly based on Xylan switches running FW-1. This product line has disappeared now and all alternative solutions seem to be relying on VLAN trunking. I'm not comfortable with the idea yet, but I wasn't comfortable with the Xylan switches in the beginning, either. I'd like to think I'm too paranoid, but then, that's my job... Cheers Steffen. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
__________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Firewalls and 802.1q trunking Steffen Kluge (Nov 26)
- Re: Firewalls and 802.1q trunking Two Dog Flats (Nov 26)
- Re: Firewalls and 802.1q trunking Carson Gaspar (Nov 26)
- Re: Firewalls and 802.1q trunking David Pick (Nov 27)
- Re: Firewalls and 802.1q trunking ark (Nov 27)
- Re: Firewalls and 802.1q trunking R. DuFresne (Nov 27)
- Re: Firewalls and 802.1q trunking Jonn Martell (Nov 27)
- <Possible follow-ups>
- Re: Firewalls and 802.1q trunking Pearsall, Jim (Nov 27)
- Re: Firewalls and 802.1q trunking David Pick (Nov 27)
- Re: Firewalls and 802.1q trunking Stephen Gill (Nov 27)