RE: [fw-wiz] Firewalls and 802.1q trunking
From: Steve Evans (sevans@foundation.sdsu.edu)
Date: 12/10/02
- Next message: Philip J. Koenig: "[fw-wiz] Firewalls grace under pressure"
- Previous message: Jack Arenberg: "[fw-wiz] Does W2k issue an NBNS query automatically following each unsuccessful reverse DNS query?"
- Maybe in reply to: Steffen Kluge: "[fw-wiz] Firewalls and 802.1q trunking"
- Next in thread: Marcus J. Ranum: "RE: [fw-wiz] Firewalls and 802.1q trunking"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Steve Evans" <sevans@foundation.sdsu.edu> To: <firewall-wizards@honor.icsalabs.com> Date: Tue Dec 10 21:25:01 2002
And can you say that the traffic coming from the internet is the most
dangerous traffic on the network. I've always understood that the vast
majority of the attacks come from the inside.
Steve Evans
SDSU Foundation
(619) 594-0653
-----Original Message-----
From: David Pick [mailto:d.m.pick@qmul.ac.uk]
Sent: Wednesday, November 27, 2002 11:40 AM
To: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Firewalls and 802.1q trunking
>
>
> >> My concern is that the "fan-out" boxes are typically
> >> run-of-the-mill switches, like Cisco Catalysts, that probably have
> >> been design without any security aspirations. I wouldn't be
> >> surprised if those switches could be attacked and tricked into
> >> leaking packets between VLANs.
>
> >A valid concern. My attitude is simple:
> >* If the switches are secure enough to keep VLANs seperated for
> >normal traffic then they're secure enough to use as interfaces to
> >your firewall
> >* If they're not, well, they're not!
>
> I would submit that secure enough to manage traffic inside your
> trusted network is quite different from secure enough to define a
> security boundary.
I'm sorry, I probably wasn't explicit enough in what I said. What I
should have said was that I didn't think the fact that there was a
firewall involved mattered at all here; if a switch was judged secure
enough to have *all* the VLANs involved (internal
*and* external/dangerous) connected to it (and that's another argument
about which *I*'m very conservative as well!) *then* the fact that a
firewall is connected to the switch is not relevant; in the same way if
it it judged that one group of VLANs can share switch fabric then a
firewall interconnecting them can use a trunk link to that switch fabric
with no further loss of security.
-- David Pick _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Next message: Philip J. Koenig: "[fw-wiz] Firewalls grace under pressure"
- Previous message: Jack Arenberg: "[fw-wiz] Does W2k issue an NBNS query automatically following each unsuccessful reverse DNS query?"
- Maybe in reply to: Steffen Kluge: "[fw-wiz] Firewalls and 802.1q trunking"
- Next in thread: Marcus J. Ranum: "RE: [fw-wiz] Firewalls and 802.1q trunking"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
