Re: [fw-wiz] Multiple small switches vs. a single big one; Granularity of control
From: Shimon Silberschlag (shimons_at_bll.co.il)
Date: Wed, 3 Mar 2004 09:55:55 +0200
The main risk as I see it is not having an outside attacker change the
switch config, but an insider doing it, presumably not maliciously but
through error or mistake.
What I wanted to know was, how will the switch behave if the change
prevented the FWSM from seeing any VLAN traffic? Will traffic then pass
unchecked between the segments?
I also wonder why didn't anyone answer my second question about granularity
of control. Do people contend to control the segment level only, or aim to
control each and every server on the segment?
----- Original Message -----
From: "David Lang" <email@example.com>
To: "Dale W. Carder" <firstname.lastname@example.org>
Cc: "Shimon Silberschlag" <email@example.com>;
Sent: Tuesday, March 02, 2004 23:25
Subject: Re: [fw-wiz] Multiple small switches vs. a single big one;
Granularity of control
> On Tue, 2 Mar 2004, Dale W. Carder wrote:
> > Date: Tue, 02 Mar 2004 14:22:40 -0600
> > From: Dale W. Carder <firstname.lastname@example.org>
> > To: Shimon Silberschlag <email@example.com>
> > Cc: firstname.lastname@example.org,
> > David Lang <email@example.com>
> > Subject: Re: [fw-wiz] Multiple small switches vs. a single big one;
> > Granularity of control
> > On Feb 29, 2004, at 8:48 AM, Shimon Silberschlag wrote:
> > > When designing a new internet architecture, we are debating the use of
> > > either a physical switch per segment, as was traditionally recommended
> > > by
> > > the majority of readers on this list, and using a big switch combined
> > > with
> > > an on-switch FW that controls traffic down to a port granularity (e.g.
> > > the
> > > Cisco FWSM enclosed in the 6500 switch).
> > I personally believe that the idea of separating vlans onto separate
> > switches
> > is fueled by paranoia and inferior switch architectures. Separating
> > vlans
> > onto their own switches does not scale. If it does for your
> > environment, I
> > envy you :-)
> > There are economies of scale in having bigger switches with more vlans,
> > and trunking between them. The 6500 series switches and competing
> > products are marketed towards that idea.
> I agree that this is the marketing claim. the definition of what 'scales'
> varies depending on what you are trying to do.
> > > What would be the current group recommendations WRT to such a setup,
> > > taking
> > > into account that the usual "don't trust VLANS to separate your
> > > segments" is
> > > mitigated by using the FWSM to enforce the separation policy?
> > The switch enforces the separation policy between vlans. The FWSM is a
> > firewall between vlans.
> this is my point, adding the FWSM doesn't enforce any ADDITIONAL
> protection that you wouldn't have if you just used the switch with it's
> the claim I was responding to was that becouse the FWSM was installed in
> the swtich it somehow made the switch inherently safe and eliminated all
> the traditional issues that have risen from switch configuration.
> David Lang
> "Debugging is twice as hard as writing the code in the first place.
> Therefore, if you write the code as cleverly as possible, you are,
> by definition, not smart enough to debug it." - Brian W. Kernighan
firewall-wizards mailing list