Re: [fw-wiz] Firewalls and 802.1q trunking

From: Eric Vyncke (evyncke@cisco.com)
Date: 12/04/02


To: Steffen Kluge <kluge@fujitsu.com.au>
From: Eric Vyncke <evyncke@cisco.com>
Date: Wed Dec  4 12:39:17 2002

First, have a look at my IP address to remove possible bias ;-)

Second, @stakes made some extended research on VLAN hopping against a Catalyst switch. They were unable to actually hop between VLAN on a well configured switch. See their paper on:
http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/tech/stake_wp.pdf

Having said this, I've seen two different points of view:

- misconfiguration happens: an Infosec or network operator can make a mistake in the VLAN configuration

- probabilty of faulty switch configuration by an educated network/infosec operator is less than the probability of a wrong cable patching in the datacom room by a uneducated engineer.

I guess that the decision really belongs to _your_ security policy and requirements.

Hope it helps

-eric

At 11:30 27/11/2002 +1100, Steffen Kluge wrote:
>Hi everyone,
>I'd like to solicit your opinion on the popular trend of
>equipping firewalls with (almost) arbitrary numbers of interfaces
>by means of VLAN trunking. Many FW vendors (including Nokia,
>NetScreen, and the like) are going down that path.
>
>My concern is that the "fan-out" boxes are typically run-of-the-mill
>switches, like Cisco Catalysts, that probably have been design without
>any security aspirations. I wouldn't be surprised if those switches
>could be attacked and tricked into leaking packets between VLANs.
>
>Are there any studies devoted to this issue, or reports of successful
>attacks against 802.1q separation that I should be aware of?
>
>In our environment we use firewalls with rather large numbers of
>interfaces (typically 15 ~ 25), mostly based on Xylan switches running
>FW-1. This product line has disappeared now and all alternative
>solutions seem to be relying on VLAN trunking.
>
>I'm not comfortable with the idea yet, but I wasn't comfortable with
>the Xylan switches in the beginning, either. I'd like to think I'm too
>paranoid, but then, that's my job...
>
>Cheers
>Steffen.
>
>
>_______________________________________________
>firewall-wizards mailing list
>firewall-wizards@honor.icsalabs.com
>http://honor.icsalabs.com/mailman/listinfo/firewall-wizards