Firewall Wizards mailing list archives
Re: Firewalling between T-1's, an ATM switch and a switched office
From: m p <sumirati () yahoo de>
Date: Mon, 17 Mar 2003 16:16:02 +0100 (CET)
--- Steven Ackerman <ackerman_steven () yahoo com> schrieb: > Greetings,
I work for a small network consulting firm. Security has not been researched or applied much prior to my arrival. I am trying to change that, although I have limited understanding and less experience. The person I work for directly is trying to setup a Watchguard box with content filtering between two switches and 4 t-1 lines. The setup is as follows: ATM switch with one incoming internet connection, 4 t-1's on the inside (each goes to a different school), 2 Ethernet ports. One ethernet (eth 0) port has a cisco switch which connects another office. The second (eth1) ethernet port connects a watchgaurd box. The Watchgaurd box has 3 ethernet ports on it. My boss wants to route incoming traffic through the Eth0 port to the switch and then to the watchgaurd box and to the appropriate t-1/school and visa verse (sp?). It looks to me like this bypasses the firewall. Can this work through ACL's at the ATM switch?
Yes.
Is this unsafe?
Compared to what?
How can I explain this is unsafe to an admin that doesn't see how it is unsafe when he can use ACL's on source and destination IP's and ports?
First you have to understand how ATM works, before you can say something about security. First of all - I don't know much about ATM (as your Joe Averange Hacker will do). ATM is some levels below IP. If you compare it with Ethernet it is the cable and the CRC level of the device itself. But inside itself it is a full-sized client-server application. On that you emulate your "normal" Ethernet network. ATM works in that case like "pipes" through which the pakets _have_ to go. For what I understand from ATM he will use LAN-E to make virtuell connects between the ports. There is no way (if you don't have access to the ATM layer - which means you are already in the network of the telco) to circumvent those ACLs in the ATM layer. If he speaks about ACLs for IP - he shouldn't. There are know ways to circumvent them (because they are not stateful in the most cases). But no switch that I know of have ACLs for IP (but I'm no network guy) - only the routers I met. A router with ACLs is a nice addition to a firewall system - but I won't put it alone somewhere. Hope that helps Marc PS: Some ASCII-art is nice to get a better picture. I thing your topology is: Internet <-> ATM-Switch <-> 4 x T1 ^ ^ | | Other office | Firewall I hope that I understood that right. __________________________________________________________________ Gesendet von Yahoo! Mail - http://mail.yahoo.de Bis zu 100 MB Speicher bei http://premiummail.yahoo.de _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Firewalling between T-1's, an ATM switch and a switched office Steven Ackerman (Mar 14)
- Re: Firewalling between T-1's, an ATM switch and a switched office m p (Mar 17)