Re: [fw-wiz] Multiple small switches vs. a single big one; Granularity of control

From: Shimon Silberschlag (shimons_at_bll.co.il)
Date: 03/03/04

  • Next message: Mike Meredith: "Re: [fw-wiz] Multiple small switches vs. a single big one; Granularity of control" 
    Date: Wed, 3 Mar 2004 09:55:55 +0200

    The main risk as I see it is not having an outside attacker change the
    switch config, but an insider doing it, presumably not maliciously but
    through error or mistake.

    What I wanted to know was, how will the switch behave if the change
    prevented the FWSM from seeing any VLAN traffic? Will traffic then pass
    unchecked between the segments?

    I also wonder why didn't anyone answer my second question about granularity
    of control. Do people contend to control the segment level only, or aim to
    control each and every server on the segment?

    Shimon Silberschlag

    +972-3-9351572
    +972-51-207130

    ----- Original Message -----
    From: "David Lang" <david.lang@digitalinsight.com>
    To: "Dale W. Carder" <dwcarder@doit.wisc.edu>
    Cc: "Shimon Silberschlag" <shimons@bll.co.il>;
    <firewall-wizards@honor.icsalabs.com>
    Sent: Tuesday, March 02, 2004 23:25
    Subject: Re: [fw-wiz] Multiple small switches vs. a single big one;
    Granularity of control

    > On Tue, 2 Mar 2004, Dale W. Carder wrote:
    >
    > > Date: Tue, 02 Mar 2004 14:22:40 -0600
    > > From: Dale W. Carder <dwcarder@doit.wisc.edu>
    > > To: Shimon Silberschlag <shimons@bll.co.il>
    > > Cc: firewall-wizards@honor.icsalabs.com,
    > > David Lang <david.lang@digitalinsight.com>
    > > Subject: Re: [fw-wiz] Multiple small switches vs. a single big one;
    > > Granularity of control
    > >
    > > On Feb 29, 2004, at 8:48 AM, Shimon Silberschlag wrote:
    > > > When designing a new internet architecture, we are debating the use of
    > > > either a physical switch per segment, as was traditionally recommended
    > > > by
    > > > the majority of readers on this list, and using a big switch combined
    > > > with
    > > > an on-switch FW that controls traffic down to a port granularity (e.g.
    > > > the
    > > > Cisco FWSM enclosed in the 6500 switch).
    > >
    > > I personally believe that the idea of separating vlans onto separate
    > > switches
    > > is fueled by paranoia and inferior switch architectures. Separating
    > > vlans
    > > onto their own switches does not scale. If it does for your
    > > environment, I
    > > envy you :-)
    > >
    > > There are economies of scale in having bigger switches with more vlans,
    > > and trunking between them. The 6500 series switches and competing
    > > products are marketed towards that idea.
    >
    > I agree that this is the marketing claim. the definition of what 'scales'
    > varies depending on what you are trying to do.
    >
    > > > What would be the current group recommendations WRT to such a setup,
    > > > taking
    > > > into account that the usual "don't trust VLANS to separate your
    > > > segments" is
    > > > mitigated by using the FWSM to enforce the separation policy?
    > >
    > > The switch enforces the separation policy between vlans. The FWSM is a
    > > firewall between vlans.
    >
    > this is my point, adding the FWSM doesn't enforce any ADDITIONAL
    > protection that you wouldn't have if you just used the switch with it's
    > VLANs.
    >
    > the claim I was responding to was that becouse the FWSM was installed in
    > the swtich it somehow made the switch inherently safe and eliminated all
    > the traditional issues that have risen from switch configuration.
    >
    > David Lang
    >
    > --
    > "Debugging is twice as hard as writing the code in the first place.
    > Therefore, if you write the code as cleverly as possible, you are,
    > by definition, not smart enough to debug it." - Brian W. Kernighan

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Mike Meredith: "Re: [fw-wiz] Multiple small switches vs. a single big one; Granularity of control"

    Relevant Pages

    • Re: probably an easy routing question, so please help
      ... I've just realized that VLANs don't just divide subnets, ... router) I won't need to use a Layer 3 switch at all. ... both /28s are configured on the same Enet port, with proxy ARP enabled. ...
      (comp.dcom.sys.cisco)
    • Re: Switch Redundancy question !!
      ... switch) with respect to L3 default gateway for each of the VLANs ... I know STP is the solution for L2 redundancy & HSRP ... Sh int status will show port as routed when it is configured for use as ...
      (comp.dcom.sys.cisco)
    • RE: Firewall and VLAN security design
      ... use a separate switch for your internal LAN. ... @Stake security review of VLANs ... IT Technical Security Officer ... "VLANs can enhance scalability, security, and network management. ...
      (Security-Basics)
    • RE: Clueless firewall configuration ?
      ... attacker has access to your core switch. ... between the vlans (oh and we are a big production site that relies on ... Does anyone care to comment on the security issues a setup as this ... Download FREE whitepaper on how a managed service ...
      (Pen-Test)
    • RE: Clueless firewall configuration ?
      ... the internet accessible segments need to be ... vlans, but I'm OK with all the DMZ vlans being on the same switch, and ... all the internal DMZs on another switch. ... ClickToSecure) or an enterprise software (Cenzic Hailstorm). ...
      (Pen-Test)