Re: [fw-wiz] Worms, Air Gaps and Responsibility

From: Mason (hr824_at_sunwave.net)
Date: 05/06/04

  • Next message: Ahmed, Balal: "RE: [fw-wiz] BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks)" 
    To: firewall-wizards@honor.icsalabs.com
Date: Wed, 5 May 2004 23:02:16 -0700

    On May 5, 2004 09:11 am, Rogan Dawes wrote:
    > On a related note, I've been thinking quite a lot about having switches
    > perform firewall tasks. I see no reason why it should not be possible to
    > classify ports into groups such as "server" and "desktop" (at a
    > minimum), and apply appropriate filtering rules between the groups.
    >
    > e.g. desktops may only talk to servers, not to each other.
    >
    It should be possible to put each host (port) in it's own vlan and trunk all
    traffic to a gateway/firewall (I am planning to do this with a linux box and
    an old cisco cat1924). I wouldn't want to try this on a large network, but I
    plan to do this for a small repair bench that can have up to 10 PCs on it
    simultaneously. I have had to resort to this because boxes that come in for
    repair tend to chat amongst themselves... :P

    wrt
    > classify ports into groups such as "server" and "desktop"
    >
    I use an iptables firewall configuration interface called shorewall
    (www.shorewall.net) for all my basic quicky firewall stuff. With shorewall,
    I should be able to configure a single "zone" that will include all my vlan
    interfaces (each vlan on the switch corresponds to a vlan interface on the
    linux box). Then all I will need to setup is a ruleset (in addition to basic
    antispoofing rules, NAT, etc) that says "bench" can talk to windowsupdate and
    online virus scanners, the "worm laden internet" cannot talk to the PCs, and
    no routing is permitted between vlan interfaces. 

    --
Mason Schmitt
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
  • Next message: Ahmed, Balal: "RE: [fw-wiz] BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks)"

    Relevant Pages

    • RE: [fw-wiz] Switch Redundancy for my firewall cluster
      ... Or if you don't want to backplane the two pairs of switches, ... Assign a VLAN for every subnet the ... Your firewall cluster can do the ... The firewall would still be a choke point since the same cluster member ...
      (Firewall-Wizards)
    • Re: Clueless firewall configuration ?
      ... The trend seems to be moving towards application based devices blurring the lines between routers, switches, firewalls, etc. ... Subject: Clueless firewall configuration? ... between the vlans (oh and we are a big production site that relies on ... You have an option to go with a managed service or an enterprise software. ...
      (Pen-Test)
    • Re: [OT] VLAN Design & Routing
      ... weil nur die Verwaltung über einen Internetzugang verfügt. ... > Da brauchst Du kein VLAN. ... Die Firewall wird an einem ... Port am Switch angeschlossen -> Nur an welchem? ...
      (microsoft.public.de.german.windows.server.networking)
    • Re: Clueless firewall configuration ?
      ... well ASA for Internet. ... these switches also provide routing modules, ... configuration mistake on the switch firewall connected ... between the vlans (oh and we are a big production site that relies on ...
      (Pen-Test)
    • Re: [fw-wiz] Problem with Cisco Firewall Service Module running in transparent mode
      ... >I have attempting to get a Cisco Firewall Service Module (FWSM) running ... >software version 2.2in transparent mode and multiple context mode. ... I first remove this vlan interface from the MSFC2 ...
      (Firewall-Wizards)