[fw-wiz] Use of single port aggregations to enhance security

I'm curious if anyone has toyed with the idea of creating
single port LACP aggregations on switches and connecting
firewalls that also speak LACP to them. The purpose of this
is that some (all?) switches will disable an aggregation
port when LACP is not running, so the LACP protocol becomes
something of a link-state protocol between the operating
system and the switch.

So what difference can this make?

If you're using an operating system based firewall (Linux,
BSD, Solaris), then depending on the order of the operating
system enabling firewalls capabilities vs networking, there
may be windows where packets are able to reach code paths
that they weren't intended for because nic drivers start
servicing packets quite early. However, nearly all of the
above operating systems implement LACP in software. This
means that there's a "knob" that can be used on the firewall
host to control whether or not the switch sends stuff to
the firewall, potentially allowing you to close that window
(if it exists.) This might cause problems if you're doing
some sort of out-of-band remote console over that port O:->

I admit that caring about this might require a special level
of paranoia :)

But the idea of being able to turn the tap off, rather than
just pour what comes out of the hose down the drain, does
have some merit O:)


firewall-wizards mailing list

Relevant Pages

  • Re: Clueless firewall configuration ?
    ... The trend seems to be moving towards application based devices blurring the lines between routers, switches, firewalls, etc. ... Subject: Clueless firewall configuration? ... between the vlans (oh and we are a big production site that relies on ... You have an option to go with a managed service or an enterprise software. ...
  • Re: Clueless firewall configuration ?
    ... well ASA for Internet. ... these switches also provide routing modules, ... configuration mistake on the switch firewall connected ... between the vlans (oh and we are a big production site that relies on ...
  • Re: Mac Mini Energy Management is Amazing
    ... Most switches are layer 2 devices. ... You either grasp what a multi-segment firewall is or you don't. ... separate ethernet segment. ... I forbid any outgoing connections from the web server to any ...
  • Re: Passfire forum broken ?
    ... by firewall within the routers and/or an additional Symantek firewall ... and Nortons continuous virus protection. ... recall the very effective hacker attack that took place against these ... switches about 10 years ago. ...
  • Re: link aggregation - bundling 2 lagg interfaces together
    ... two ports on different switches. ... Indeed, I'm lagg'ing the 2 interfaces together to increase capacity, ... then I also wished to provide failover. ... Regarding your problem of not getting LACP to work correctly for you, ...