Re: [fw-wiz] Worms, Air Gaps and Responsibility

From: Chris Pugrud (
Date: 05/07/04

  • Next message: Devdas Bhagat: "Re: [fw-wiz] Worms, Air Gaps and Responsibility"
    Date: Fri, 7 May 2004 06:34:29 -0700 (PDT)

    I've been doing a lot of research over the last several months about how to
    isolate desktop and laptop systems from servers using switches and the firewall
    filtering capabilities of VLAN routers (layer 3 switches). I'm working that
    research into publishable form, but I can answer more specifically to what you
    are suggesting and hopefully get some feedback from the community at the same

    Cisco offers "Private VLAN" capabilities in their layer 2 switches. Within a
    VLAN you can designate ports as private or public. Private ports are fully
    isolated from all other private ports in the VLAN. Private ports can only talk
    to public ports and vice versa. If the only public port is the router for the
    VLAN, the effect is that every system in the VLAN has effectively been assigned
    to an individual, personal VLAN. Filtering rules applied to that VLAN affect
    all the systems equally. This is much easier to manage and deploy than other
    methods that suggest placing every system in it's own subnet and VLAN.

    It has often been observed that client systems, desktops and laptops, only need
    to talk to servers and never to each other, in most environments, as you

    If all of the client systems are isolated in private VLANs, and the VLANs are
    isolated from each other with filtering rules at the VLAN router, the only
    systems that clients can talk to are the servers and external gateways. This
    effectively reduces the primary security perimeter to the servers. If the
    servers are well protected and current in their AV signatures, the organization
    is fairly well protected from viruses. There is still a huge vulnerability if
    one of the servers should become infected. Because the servers can talk to all
    of the clients, if a server becomes infected, go back to square one.

    Ideally an IDS would detect the virus attack, notify the administrators, and,
    possibly, shut down the port that is the source of the attack (I won't start up
    the automated defenses thread again). On a secondary level this also stops the
    curious insider from browsing the HR desktop file share and publishing the
    internal salary list.

    Many years ago I used to be very active on this list (, and
    I am very glad to see that the list has retained it's technical focus and
    professional expertise.


    Chris Pugrud
    --- Rogan Dawes <> wrote:
    > I agree that it is a good idea to separate user networks from server 
    > networks (in the general case) and user networks from production 
    > networks specifically. In most cases, I think that air gaps are a bit of 
    > overkill. Using a firewall and defined interfaces that can be adequately 
    > secured (e.g. by not using MS file sharing :-) is sufficient in many cases.
    > On a related note, I've been thinking quite a lot about having switches 
    > perform firewall tasks. I see no reason why it should not be possible to 
    > classify ports into groups such as "server" and "desktop" (at a 
    > minimum), and apply appropriate filtering rules between the groups.
    > e.g. desktops may only talk to servers, not to each other.
    > As a benefit, it would even prevent attacks against the local segment, 
    > as well as the rest of the network.
    > Thoughts?
    > I realise that this could end up causing a lot of work for network 
    > admins (analogous to locking MAC addresses to ports, perhaps), but with 
    > the right tools, it should be manageable.
    > Rogan
    firewall-wizards mailing list

  • Next message: Devdas Bhagat: "Re: [fw-wiz] Worms, Air Gaps and Responsibility"

    Relevant Pages

    • RE: Slow user logon on Terminal server after migration to Windows 2003
      ... The Terminal Servers are 2000 or 2003. ... "Inside the firewall zone" means that the Citrix Servers have a firewall ... available RPC ports? ...
    • Re: Controlling access to MSTSC.exe
      ... to get through the windows firewall. ... static configuration by using VLANS in conjunction with a VLAN Policy Server ... > programs where I will need the ability to restrict by ... >>> level policy (i.e. who can connect via remote desktop to the servers). ...
    • Visa PCI Firewall Requirements and Windows Networks
      ... Windows Security Experts and registered CISSP's: ... public networks by a 2-tiered firewall architecture, ... Lets say that the database servers are the only things ... that need access to the data only need those ports open. ...
    • RE: Slow user logon on Terminal server after migration to Windows
      ... Thanks Mate ..I added those dynamic ports and additional ports on my firewall ... network shared server in the same firewall zone as that of the Citrix servers. ...
    • Re: Visa PCI Firewall Requirements and Windows Networks
      ... GP without the risk of open ports or a DC in the DMZ. ... Outbound access should be minimized but if windows update is your ... alternative tools on trusted servers to patch your machine. ... > behind the second firewall. ...