[fw-wiz] Firewalls and 802.1q trunking

From: Steffen Kluge (kluge@fujitsu.com.au)
Date: 11/26/02

From: Steffen Kluge <kluge@fujitsu.com.au>
To: "'firewall-wizards@honor.icsalabs.com'" <firewall-wizards@honor.icsalabs.com>
Date: Tue Nov 26 20:16:02 2002

Hi everyone,
I'd like to solicit your opinion on the popular trend of
equipping firewalls with (almost) arbitrary numbers of interfaces
by means of VLAN trunking. Many FW vendors (including Nokia,
NetScreen, and the like) are going down that path.

My concern is that the "fan-out" boxes are typically run-of-the-mill
switches, like Cisco Catalysts, that probably have been design without
any security aspirations. I wouldn't be surprised if those switches
could be attacked and tricked into leaking packets between VLANs.

Are there any studies devoted to this issue, or reports of successful
attacks against 802.1q separation that I should be aware of?

In our environment we use firewalls with rather large numbers of
interfaces (typically 15 ~ 25), mostly based on Xylan switches running
FW-1. This product line has disappeared now and all alternative
solutions seem to be relying on VLAN trunking.

I'm not comfortable with the idea yet, but I wasn't comfortable with
the Xylan switches in the beginning, either. I'd like to think I'm too
paranoid, but then, that's my job...