Re: [fw-wiz] Firewalls and 802.1q trunking

From: David Pick (d.m.pick@qmul.ac.uk)
Date: 11/27/02

• Next message: Stephen Gill: "Re: [fw-wiz] Firewalls and 802.1q trunking"
• Previous message: David Klein: "RE: [fw-wiz] Problem getting vpn to work between netscreen 208 an d cisco 1721"
• In reply to: Pearsall, Jim: "Re: [fw-wiz] Firewalls and 802.1q trunking"
• Next in thread: Stephen Gill: "Re: [fw-wiz] Firewalls and 802.1q trunking"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

To: firewall-wizards@honor.icsalabs.com
From: David Pick <d.m.pick@qmul.ac.uk>
Date: Wed Nov 27 17:45:20 2002

>
>
> >> My concern is that the "fan-out" boxes are typically run-of-the-mill
> >> switches, like Cisco Catalysts, that probably have been design without
> >> any security aspirations. I wouldn't be surprised if those switches
> >> could be attacked and tricked into leaking packets between VLANs.
>
> >A valid concern. My attitude is simple:
> >* If the switches are secure enough to keep VLANs seperated for
> > normal traffic then they're secure enough to use as interfaces
> >to your firewall
> >* If they're not, well, they're not!
>
> I would submit that secure enough to manage traffic inside your trusted
> network is quite different from secure enough to define a security
> boundary.

I'm sorry, I probably wasn't explicit enough in what I said. What
I should have said was that I didn't think the fact that there
was a firewall involved mattered at all here; if a switch was
judged secure enough to have *all* the VLANs involved (internal
*and* external/dangerous) connected to it (and that's another
argument about which *I*'m very conservative as well!) *then*
the fact that a firewall is connected to the switch is not
relevant; in the same way if it it judged that one group of
VLANs can share switch fabric then a firewall interconnecting
them can use a trunk link to that switch fabric with no further
loss of security.

-- 
	David Pick

---

• Next message: Stephen Gill: "Re: [fw-wiz] Firewalls and 802.1q trunking"
• Previous message: David Klein: "RE: [fw-wiz] Problem getting vpn to work between netscreen 208 an d cisco 1721"
• In reply to: Pearsall, Jim: "Re: [fw-wiz] Firewalls and 802.1q trunking"
• Next in thread: Stephen Gill: "Re: [fw-wiz] Firewalls and 802.1q trunking"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Password Coding On Form ... i am developing a switch board and want some secuirty on this switch ... The most secure way of controlling access and permissions is to apply ... user-level security. ... (microsoft.public.access.formscoding) Re: [fw-wiz] Vlans as effective security measures? ... comparison between switch physical back plane architecture and VLAN security. ... >is not an effective adjunct to firewall and router security policies. ... Cisco Systems Inc. ... (Firewall-Wizards) Re: Firewall problem ... Everytime I start up my machine Windows Firewall ... > is off and I have to enter security centre and switch it back on. ... > switch the machine off and restart again, ... (microsoft.public.windowsxp.help_and_support) Firewall problem ... Everytime I start up my machine Windows Firewall ... switch the machine off and restart again, ... Oh, and I'm running Norton Internet Security, but I have the firewall on ... (microsoft.public.windowsxp.help_and_support) Re: Red Headlamp for Astronomy ... >Until now I've used an Energizer headlamp, with one red LED and two ... Problems have been the headband (which never seemed secure ... The switch is a twist type with the red light ... flashlights with BOTH white and Red LED Bulbs.. ... (sci.astro.amateur)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)