Re: [fw-wiz] separating the servers on a switch
From: Paul D. Robertson (proberts@patriot.net)
Date: 09/12/02
- Next message: Rudy_D_Pereda@mail.dbf.state.fl.us: "[fw-wiz] Centrallizing logs"
- Previous message: IT - Sven Mueller: "Re: [fw-wiz] Statistics for Firewalls"
- In reply to: Shimon Silberschlag: "[fw-wiz] separating the servers on a switch"
- Next in thread: m p: "Re: [fw-wiz] separating the servers on a switch"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Paul D. Robertson" <proberts@patriot.net> To: Shimon Silberschlag <shimons@bll.co.il> Date: Thu Sep 12 09:48:01 2002
On Thu, 12 Sep 2002, Shimon Silberschlag wrote:
> We want to control which server can talk to which other server (in the
> segment), utilizing one of the firewalls (lets say the uplink one).
Firewalls are generally layer 3 devices, you're attempting to control a
layer 2 connection. For that you need a tool that works at layer 2.
This leaves you with only a few options:
Filtering on each device
VLANs
VPNs
one hack (that's probably good enough- but not bullet-proof):
Static ARP tables: ARP only the routers/firewalls and the devices each
device needs to talk to into a static ARP table, and don't let the devices
do dynamic ARP (or equally hackish, staticly ARP all the devices a server
*doesn't* need to talk to to a non-existant address that isn't routed off
the segment.) You can do a cheesier version by subnetting and
only putting devices which need to communicate on the same subnet and
keeping subnet routes, but that assumes the sets don't overlap much- it's
not going to stop an attacker from adding their own routes, but it'll stop
casual stuff, and just supernet the segment on the firewalls. (I'd
probably implement by making each device think it was on a /32 and then
adding routes to the other /32s it needed to talk to- you could attempt to
enforce that on a firewall if you made it the route, but understand it's
relatively trivial to bypass.)
Finally, if you're mostly worried about TCP, you could span a port and put
up a bridge that would send back RSTs for connection attempts outside of
policy. Not sure if it'd win the race every time though.
The _best_ solution is to seperate the devices at the correct layer, and
have each zone communicate through a layer 3 device with appropriate
rules. When I had to do that, I'd load a Sun Ultra2 up with SBUS Quad
Fast Ethernet (QFE) cards and route/firewall through that- if you need
more than ~9 networks, you're probably trying to enforce an unenforcable
policy. These days, I'd be tempted to try the same thing on NetBSD with
IPFilter and quad PCI cards (Given a fast PCI bus and cards that would
run at full speed.)
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts@patriot.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
- Next message: Rudy_D_Pereda@mail.dbf.state.fl.us: "[fw-wiz] Centrallizing logs"
- Previous message: IT - Sven Mueller: "Re: [fw-wiz] Statistics for Firewalls"
- In reply to: Shimon Silberschlag: "[fw-wiz] separating the servers on a switch"
- Next in thread: m p: "Re: [fw-wiz] separating the servers on a switch"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
