Re: [fw-wiz] Firewalls and 802.1q trunking
From: Jonn Martell (jonn.martell@ubc.ca)
Date: 11/27/02
- Next message: Steve Evans: "RE: [fw-wiz] Outlook Web Access - Paranoid?"
- Previous message: Stephen Gill: "Re: [fw-wiz] Firewalls and 802.1q trunking"
- In reply to: Steffen Kluge: "[fw-wiz] Firewalls and 802.1q trunking"
- Next in thread: Eric Vyncke: "Re: [fw-wiz] Firewalls and 802.1q trunking"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Jonn Martell <jonn.martell@ubc.ca> To: Steffen Kluge <kluge@fujitsu.com.au> Date: Wed Nov 27 19:56:02 2002
Additional things to watch out for: IVL/SVL
With SVL (shared vlan learning) a MAC address cannot show up on two
different VLANs without causing problems. If you are going to do this,
make sure your VLAN switch supports IVL (independent VLAN learning).
You also need to keep management of your switch locked down to prevent
someone from changing the VLAN settings.
On 27 Nov 2002, Steffen Kluge wrote:
> Date: 27 Nov 2002 11:30:44 +1100
> From: Steffen Kluge <kluge@fujitsu.com.au>
> To: "'firewall-wizards@honor.icsalabs.com'"
> <firewall-wizards@honor.icsalabs.com>
> Subject: [fw-wiz] Firewalls and 802.1q trunking
>
> Hi everyone,
> I'd like to solicit your opinion on the popular trend of
> equipping firewalls with (almost) arbitrary numbers of interfaces
> by means of VLAN trunking. Many FW vendors (including Nokia,
> NetScreen, and the like) are going down that path.
>
> My concern is that the "fan-out" boxes are typically run-of-the-mill
> switches, like Cisco Catalysts, that probably have been design without
> any security aspirations. I wouldn't be surprised if those switches
> could be attacked and tricked into leaking packets between VLANs.
>
> Are there any studies devoted to this issue, or reports of successful
> attacks against 802.1q separation that I should be aware of?
>
> In our environment we use firewalls with rather large numbers of
> interfaces (typically 15 ~ 25), mostly based on Xylan switches running
> FW-1. This product line has disappeared now and all alternative
> solutions seem to be relying on VLAN trunking.
>
> I'm not comfortable with the idea yet, but I wasn't comfortable with
> the Xylan switches in the beginning, either. I'd like to think I'm too
> paranoid, but then, that's my job...
>
> Cheers
> Steffen.
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
- Next message: Steve Evans: "RE: [fw-wiz] Outlook Web Access - Paranoid?"
- Previous message: Stephen Gill: "Re: [fw-wiz] Firewalls and 802.1q trunking"
- In reply to: Steffen Kluge: "[fw-wiz] Firewalls and 802.1q trunking"
- Next in thread: Eric Vyncke: "Re: [fw-wiz] Firewalls and 802.1q trunking"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|