Re: [fw-wiz] Firewalls and 802.1q trunking

From: Jonn Martell (jonn.martell@ubc.ca)
Date: 11/27/02 

From: Jonn Martell <jonn.martell@ubc.ca>
To: Steffen Kluge <kluge@fujitsu.com.au>
Date: Wed Nov 27 19:56:02 2002

Additional things to watch out for: IVL/SVL

With SVL (shared vlan learning) a MAC address cannot show up on two
different VLANs without causing problems. If you are going to do this,
make sure your VLAN switch supports IVL (independent VLAN learning).

You also need to keep management of your switch locked down to prevent
someone from changing the VLAN settings.

On 27 Nov 2002, Steffen Kluge wrote:

> Date: 27 Nov 2002 11:30:44 +1100
> From: Steffen Kluge <kluge@fujitsu.com.au>
> To: "'firewall-wizards@honor.icsalabs.com'"
> <firewall-wizards@honor.icsalabs.com>
> Subject: [fw-wiz] Firewalls and 802.1q trunking
>
> Hi everyone,
> I'd like to solicit your opinion on the popular trend of
> equipping firewalls with (almost) arbitrary numbers of interfaces
> by means of VLAN trunking. Many FW vendors (including Nokia,
> NetScreen, and the like) are going down that path.
>
> My concern is that the "fan-out" boxes are typically run-of-the-mill
> switches, like Cisco Catalysts, that probably have been design without
> any security aspirations. I wouldn't be surprised if those switches
> could be attacked and tricked into leaking packets between VLANs.
>
> Are there any studies devoted to this issue, or reports of successful
> attacks against 802.1q separation that I should be aware of?
>
> In our environment we use firewalls with rather large numbers of
> interfaces (typically 15 ~ 25), mostly based on Xylan switches running
> FW-1. This product line has disappeared now and all alternative
> solutions seem to be relying on VLAN trunking.
>
> I'm not comfortable with the idea yet, but I wasn't comfortable with
> the Xylan switches in the beginning, either. I'd like to think I'm too
> paranoid, but then, that's my job...
>
> Cheers
> Steffen.
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>

Relevant Pages

  • Re: Configuring Cisco IPS High Bandwidth Using EtherChannel Load Balancing
    ... VLAN Pair mode uses one interface only and this is the only supported ... The ECLB feature allows you to load balance upto eight Cisco IPS ... All ports will be part of the same etherchannel ... All servers are connected to the backbone switches via another ...
    (Focus-IDS)
  • Re: MAC-based Ethernet VLANs
    ... Ethernet VLANs using Cisco 2900-series switches running IOS 12.1. ... to a VLAN with unrestricted network connectivity, ... get tagged as VLAN 10 upon ingress, if the source MAC address matches ...
    (comp.dcom.sys.cisco)
  • Re: Solution for Resilient VLAN Trunk Bonding
    ... > solution for building a resilient VLAN interfaces over a VLAN trunk. ... > connected to two different switches. ... > them detects link failures. ...
    (freebsd-net)
  • Re: HSRP on multilayer switches
    ... Your connection diagram seems to indicate a flat layer 2 network - in ... Go one better and sync the firewalls, making one firewall primary, one ... standby and using a virtual ip for the default route on the user vlan. ... Connect all hosts physically into the switches ...
    (comp.dcom.sys.cisco)
  • Wheres "mac-address-table secure" on newer Catalyst switches?
    ... you may assume that the mention of any VLAN ... id in this discussion is maintained throughout the LAN in question. ... We have a number of Catalyst 2900XL switches installed. ... command line completion mechanism on both switches seems to imply the "secure" ...
    (comp.dcom.sys.cisco)