Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Clueless firewall configuration ?
From: John Kinsella <jlk () thrashyour com>
Date: Fri, 11 Aug 2006 08:13:18 -0700

On Fri, Aug 11, 2006 at 10:08:09PM +0200, cableguy clueless wrote:
2 cisco 6509 each with firewall blade in them. These function as core
switches for a 1000 users site with lots of vlans and FW roules
between the vlans (oh and we are a big production site that relies on
these cores to let our ciritical bussiness process machines
communicate to the servers).

He wants to create 2 vlans, 1 for untrusted traffic and 1 vlan for DMZ
machines and assign physical ports to these to connect to the
internet. The DMZ vlan would also have some physical ports. These
ports would not be on the core switch but on the access layer switches
that are fiber attached to the distribution switches that attach to
the cores...

I actually architected something vaguely similar for a large retailer
last year, although there were about 50 vlans total and several other
layers of security as well (edge filtering egres/ingres, separate vendor
and employee vpns, etc).  So with that background, I'll comment a bit:

Looking just at the vlan part, there is in theory the ability to
"jump" vlans (well covered topic on securityfocus lists).  I would
probably consider spitting the DMZs off before they hit the cats,
either routed to a different port on the edge devices, or a firewall
(different brand might be of interest, depeding on paranoia) sitting
in front of the cats.  Depends on value of the rest of the network and
it's contents.  Tradeoff here is more hardware to purchase, architect,
manage, and more potential points of failure.

Looking at it from a DOS point of view, if there is significant traffic
levels flowing through the switches, the designer must be aware of
design details such as how many ports per ASIC and backplane bandwidth
for the supervisor card being used.  Otherwise packets can be dropped
under heavy enough loads (I've seen that at a different site, it was
ugly and cost millions in revenue - not my design :) ).

Hopefully the cores have been hardened, telnet turned off, real passwords
set, good versions of IOS, etc.  I'd say the easiest attacks against those
devices would be if the operational aspects haven't been well executed.

John

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]