Layer 3 and Firewall

Is it a BAD idea to have multiple logical segments of a Firewall
connected to the same physical switch?

One of our customers has a Cisco 6509. All VLANs are Layer 2. The
server segment multiple User LANs are all terminated here on the same
6509. The default gateway for these Layer 2 VLAN is on the Checkpoint
Firewall. So al access from UserLAN to server segment is through the
Firewall rulebase.

The threat I see is if the network switch administrator wants to
bypass Firewall, he can just disconnect the Firewall links and make
the VLANs Layer 3 and there is no security. After malicious activites
he can very well connect the Firewall and revert back to Layer 2.

Is that a valid threat ? Is it High risk ? What controls are possible
? Are multiple physical switches required.?

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

Relevant Pages

  • Re: [fw-wiz] segmentation of DMZs
    ... Every system is on a seperate segment ... Address space nightmare (can be solved with a bridging firewall) ... High operational / debugging complexity ... complex routing, virtual firewalls, bridging, and 802.1q. ...
  • Re: [fw-wiz] Maximum number of subnets on a firewall
    ... about the security policy for each segment and how it relates to each ... Company A doesn't talk to Company B, the DMZs don't have any traffic ... The management network, depending on how much stuff its connected to, ... traverse the firewall to get where it's going. ...
  • Re: How expand domain subnet?
    ... But if my LAN was going to contain less than 200 Ethernet nodes, ... subnet would reduce the number of possible clients to 62. ... Add a new segment. ... and VPN clients (managed by PIX firewall). ...
  • Re: [fw-wiz] VPN concentrators
    ... > gateway is the firewall" config on the internal network). ... > have to manage policy across multiple systems with multiple UIs, ... > don't have to deal with multiple sources of logging and reporting of policy ...
  • RE: win2k3 active directory - firewall ports
    ... Also note that with the Windows Server 2008 AD infrastructure, ... close to the segment of your user base. ... win2k3 active directory - firewall ports ...