[fw-wiz] Use of single port aggregations to enhance security

I'm curious if anyone has toyed with the idea of creating
single port LACP aggregations on switches and connecting
firewalls that also speak LACP to them. The purpose of this
is that some (all?) switches will disable an aggregation
port when LACP is not running, so the LACP protocol becomes
something of a link-state protocol between the operating
system and the switch.

So what difference can this make?

If you're using an operating system based firewall (Linux,
BSD, Solaris), then depending on the order of the operating
system enabling firewalls capabilities vs networking, there
may be windows where packets are able to reach code paths
that they weren't intended for because nic drivers start
servicing packets quite early. However, nearly all of the
above operating systems implement LACP in software. This
means that there's a "knob" that can be used on the firewall
host to control whether or not the switch sends stuff to
the firewall, potentially allowing you to close that window
(if it exists.) This might cause problems if you're doing
some sort of out-of-band remote console over that port O:->

I admit that caring about this might require a special level
of paranoia :)

But the idea of being able to turn the tap off, rather than
just pour what comes out of the hose down the drain, does
have some merit O:)


firewall-wizards mailing list