Re: [fw-wiz] Firewalls and 802.1q trunking

From: Stephen Gill (gillsr@yahoo.com)
Date: 11/27/02 

From: "Stephen Gill" <gillsr@yahoo.com>
To: <firewall-wizards@honor.icsalabs.com>
Date: Wed Nov 27 17:45:35 2002

] Having just addressed this topic a while ago, I found the following
] study:

] http://www.sans.org/newlook/resources/IDFAQ/vlan.htm

] I have personally seen other brands of switches exhibit the same
behavior. ] Overall, VLANS are a great technology, but they shouldn't
be used for
] high-risk network segments.

A couple of things to keep in mind are that this study is now over two
years old and it can be mitigated w/ proper design and config. One
example:

http://www.qorbit.net/documents/catalyst-secure-template.pdf
http://www.qorbit.net/documents/catalyst-secure-template.htm

] > Hi everyone,
] > I'd like to solicit your opinion on the popular trend of equipping
] > firewalls with (almost) arbitrary numbers of interfaces by means of
] > VLAN trunking. Many FW vendors (including Nokia, NetScreen, and the
] > like) are going down that path.

I very much like this capability and it makes it much easier to scale.

] > My concern is that the "fan-out" boxes are typically run-of-the-mill

] > switches, like Cisco Catalysts, that probably have been design
without
] > any security aspirations. I wouldn't be surprised if those switches
] > could be attacked and tricked into leaking packets between VLANs.

You control the switches therefore you should also secure them.
Properly secured there should be no issues.

] > Are there any studies devoted to this issue, or reports of
successful
] > attacks against 802.1q separation that I should be aware of?

Only ones that can be mitigated.

] > In our environment we use firewalls with rather large numbers of
] > interfaces (typically 15 ~ 25), mostly based on Xylan switches
running
] > FW-1. This product line has disappeared now and all alternative
] > solutions seem to be relying on VLAN trunking.

Wow! I didn't know people were still using these. We moved off of
these a few years ago and migrated to Nokia IP 650's at the time with 20
(physical) interfaces per box. It seemed to be a good fit.
 
] > I'm not comfortable with the idea yet, but I wasn't comfortable with

] > the Xylan switches in the beginning, either. I'd like to think I'm
too
] > paranoid, but then, that's my job...

Yeah, firewalling on these switches doesn't perform very well. We were
only getting about 5MB firewall throughput with our configurations and
large rulesets.

Cheers,
-- steve

Relevant Pages

  • Re: [fw-wiz] scanning...
    ... >>new company as a network admin. ... Put switches into mirroring mode and sniff for addresses ... Don't forget DNS domain map and DHCP static map configs. ... transit devices that'll give 'em to you: firewalls, routers, switches. ...
    (Firewall-Wizards)
  • [fw-wiz] Firewalls and 802.1q trunking
    ... equipping firewalls with arbitrary numbers of interfaces ... I wouldn't be surprised if those switches ... attacks against 802.1q separation that I should be aware of? ... solutions seem to be relying on VLAN trunking. ...
    (Firewall-Wizards)
  • Campus LAN Core and Perimeter Firewalls
    ... I have some design questions regarding Campus networks and firewalls. ... If I have a Campus Core consisiting of 2 x L3 switches and I directly ...
    (comp.dcom.sys.cisco)
  • RE: Managed switches outside firewalls?
    ... If you just need to remotely access the device you can always use a terminal server at the back of the serial connection that way it's not even connected via ip from the "outside". ... Subject: Managed switches outside firewalls? ...
    (Security-Basics)
  • Re: HSRP on multilayer switches
    ... The firewalls should have a dedicated failover/sync vlan (most ... Use the Gigabit MAN connection as a trunk, ... physically hit the switches first. ...
    (comp.dcom.sys.cisco)