Penetration Testing mailing list archives
Re: Layer 3 and Firewall
From: "dubaisans dubai" <dubaisans () gmail com>
Date: Fri, 6 Oct 2006 19:26:20 +0530
2) while a technical solution exists, the best solution to this specific
issue is to address these problems from a personnel perspective
Could you be more specific on the technical solution- because that is what I am looking for urgently? I am not worried about VLAN hopping or any other user-inititated attack ? . I am only worried about the switch admin playing foul. On 10/5/06, Paul Melson <pmelson () gmail com> wrote:
-----Original Message----- Subject: Layer 3 and Firewall > Is it a BAD idea to have multiple logical segments of a Firewall connected to the same physical switch? It's not a good standard to adhere to because layer-2 VLANs can be hopped in some cases by attacking the switch, but the level and type of vulnerability will vary by implementation. In fact, Check Point is designed so that you can have multiple virtual interfaces on a single physical port by using 802.1q VLAN tagging. > The threat I see is if the network switch administrator wants to bypass Firewall, he can just disconnect > the Firewall links and make the VLANs Layer 3 and there is no security. After malicious activites he can > very well connect the Firewall and revert back to Layer 2. This is a separate issue. If the switch admin is not in sync with the firewall admin or cannot be trusted, then 1) yes this is a valid threat and 2) while a technical solution exists, the best solution to this specific issue is to address these problems from a personnel perspective and either reassign responsibility for those switches or replace the switch admin with someone who is trustworthy. > Is that a valid threat ? Is it High risk ? What controls are possible ? Are multiple physical switches > required.? Probably the thing to do would be to research whether or not a workstation on either VLAN can hop to the other with the current switch configuration. You're going to want yersinia, Cain, arptools and another Cisco switch (a 2950 is fine for this) and see if you can flood or spoof your way to the other VLAN. This is best done during a maintenance window or some time when it's OK to disrupt the network. PaulM
------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Layer 3 and Firewall dubaisans dubai (Oct 05)
- RE: Layer 3 and Firewall Paul Melson (Oct 05)
- RE: Layer 3 and Firewall Joseph McCray (Oct 06)
- RE: Layer 3 and Firewall Paul Melson (Oct 06)
- Re: Layer 3 and Firewall dubaisans dubai (Oct 06)
- Re: Layer 3 and Firewall DaKahuna (Oct 07)
- Re: Layer 3 and Firewall Rocky (Oct 25)
- Re: Layer 3 and Firewall FITNC--Kelvin Tarver (Oct 26)
- RE: Layer 3 and Firewall Joseph McCray (Oct 06)
- RE: Layer 3 and Firewall Paul Melson (Oct 05)
- <Possible follow-ups>
- RE: Layer 3 and Firewall Starkey, Kyle (Salt Lake City) (Oct 19)