Re: [fw-wiz] Layer 2 (stealth) firewalls - PBR?

On Mon, 7 Apr 2008, Darden, Patrick S. wrote:

Except that a layer two device can't tell if something is multicast or
broadcast or unicast or Anything in ipv4 or ipv6.... That's sorta the
definition of a layer two device. If it could discriminate amongst
layer 3 traffic, it would be a layer 3 device--a router, firewall, etc.

I've been doing networking since the broadband/baseband LAN thing a long
time ago, and I'm pretty cognizant of how it all works...

Layer 2 devices like switches have to forwrd layer 3 multicast packets out
ports for the multicast group, so they in essence have to peek up a layer
even though they're not "routers, firewalls, etc." They also have to
forward layer 3 broadcasts out all ports in a LAN or VLAN, once again
without being "routers, firewalls, etc."

Finally, there are alyer 2 broadcasts and layer 2 multicast addresses.
I'd suggest a Google of "layer 2 multicast addresss" for your increased
edification, and a good read of the IPv6 RFCs- because if you don't think
this stuff is going to be where "interesting" attacks and "poor
implementations" happen...

Paul D. Robertson "My statements in this message are personal opinions
paul@xxxxxxxxxxxx which may have no basis whatsoever in fact."

firewall-wizards mailing list

Relevant Pages

  • Re: Windows and Wi-Fi - starts well, frequency steps?
    ... UDP 123 differently from UDP 53. ... assuming the radio layer loss rates are less than 87.5% ... of layering violation, so I don't actually find this objectionable. ... Broadcasts really are broadcasts - you're not seeing ...
  • Re: Defense in Depth
    ... What is meant by "layers" of security, is this: the entry points that must be ... Physical Layer - Physical access to the resources. ... attacks and other attacks that go after the software itself. ... "layer" in one long chain (lots of firewalls). ...
  • Re: Firewalls: whats the use?
    ... We are thinking obviously of different firewalls here. ... machine network and an untrusted network. ... they are a separate tool that can be used to control what people ... have access to based on a SEPARATE OSI Layer. ...
  • Re: Maximum MAC multicast filters? --clarified--
    ... > I want to subscribe to lots of layer 3 multicast groups. ... many NICs use an imperfect hash to filter ...
  • Re: Layer 7 firewall Vs Stateful packet inspection firewall
    ... CheckPoint provides ... or 4th (TCP/IP) layer depending upon the model we're referring to. ... >> For simplistic discussion there are two primary types of firewalls. ...