Layer 3 and Firewall



Is it a BAD idea to have multiple logical segments of a Firewall
connected to the same physical switch?

One of our customers has a Cisco 6509. All VLANs are Layer 2. The
server segment multiple User LANs are all terminated here on the same
6509. The default gateway for these Layer 2 VLAN is on the Checkpoint
Firewall. So al access from UserLAN to server segment is through the
Firewall rulebase.

The threat I see is if the network switch administrator wants to
bypass Firewall, he can just disconnect the Firewall links and make
the VLANs Layer 3 and there is no security. After malicious activites
he can very well connect the Firewall and revert back to Layer 2.

Is that a valid threat ? Is it High risk ? What controls are possible
? Are multiple physical switches required.?

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------