Re: [fw-wiz] Firewalls and 802.1q trunking
From: Eric Vyncke (evyncke@cisco.com)
Date: 12/04/02
- Next message: Dave Piscitello: "Re: [fw-wiz] IP/HTTP from the internet to internal network"
- Previous message: Eric Vyncke: "Re: [fw-wiz] GRE through NAT (linux iptables)"
- In reply to: Steffen Kluge: "[fw-wiz] Firewalls and 802.1q trunking"
- Next in thread: Luca Berra: "Re: [fw-wiz] Firewalls and 802.1q trunking"
- Reply: Luca Berra: "Re: [fw-wiz] Firewalls and 802.1q trunking"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Steffen Kluge <kluge@fujitsu.com.au> From: Eric Vyncke <evyncke@cisco.com> Date: Wed Dec 4 12:39:17 2002
First, have a look at my IP address to remove possible bias ;-)
Second, @stakes made some extended research on VLAN hopping against a Catalyst switch. They were unable to actually hop between VLAN on a well configured switch. See their paper on:
http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/tech/stake_wp.pdf
Having said this, I've seen two different points of view:
- misconfiguration happens: an Infosec or network operator can make a mistake in the VLAN configuration
- probabilty of faulty switch configuration by an educated network/infosec operator is less than the probability of a wrong cable patching in the datacom room by a uneducated engineer.
I guess that the decision really belongs to _your_ security policy and requirements.
Hope it helps
-eric
At 11:30 27/11/2002 +1100, Steffen Kluge wrote:
>Hi everyone,
>I'd like to solicit your opinion on the popular trend of
>equipping firewalls with (almost) arbitrary numbers of interfaces
>by means of VLAN trunking. Many FW vendors (including Nokia,
>NetScreen, and the like) are going down that path.
>
>My concern is that the "fan-out" boxes are typically run-of-the-mill
>switches, like Cisco Catalysts, that probably have been design without
>any security aspirations. I wouldn't be surprised if those switches
>could be attacked and tricked into leaking packets between VLANs.
>
>Are there any studies devoted to this issue, or reports of successful
>attacks against 802.1q separation that I should be aware of?
>
>In our environment we use firewalls with rather large numbers of
>interfaces (typically 15 ~ 25), mostly based on Xylan switches running
>FW-1. This product line has disappeared now and all alternative
>solutions seem to be relying on VLAN trunking.
>
>I'm not comfortable with the idea yet, but I wasn't comfortable with
>the Xylan switches in the beginning, either. I'd like to think I'm too
>paranoid, but then, that's my job...
>
>Cheers
>Steffen.
>
>
>_______________________________________________
>firewall-wizards mailing list
>firewall-wizards@honor.icsalabs.com
>http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Next message: Dave Piscitello: "Re: [fw-wiz] IP/HTTP from the internet to internal network"
- Previous message: Eric Vyncke: "Re: [fw-wiz] GRE through NAT (linux iptables)"
- In reply to: Steffen Kluge: "[fw-wiz] Firewalls and 802.1q trunking"
- Next in thread: Luca Berra: "Re: [fw-wiz] Firewalls and 802.1q trunking"
- Reply: Luca Berra: "Re: [fw-wiz] Firewalls and 802.1q trunking"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
