Firewall Wizards mailing list archives
Re: Firewalls and 802.1q trunking
From: Eric Vyncke <evyncke () cisco com>
Date: Wed, 04 Dec 2002 14:20:01 +0100
First, have a look at my IP address to remove possible bias ;-) Second, @stakes made some extended research on VLAN hopping against a Catalyst switch. They were unable to actually hop between VLAN on a well configured switch. See their paper on: http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/tech/stake_wp.pdf Having said this, I've seen two different points of view: - misconfiguration happens: an Infosec or network operator can make a mistake in the VLAN configuration - probabilty of faulty switch configuration by an educated network/infosec operator is less than the probability of a wrong cable patching in the datacom room by a uneducated engineer. I guess that the decision really belongs to _your_ security policy and requirements. Hope it helps -eric At 11:30 27/11/2002 +1100, Steffen Kluge wrote:
Hi everyone, I'd like to solicit your opinion on the popular trend of equipping firewalls with (almost) arbitrary numbers of interfaces by means of VLAN trunking. Many FW vendors (including Nokia, NetScreen, and the like) are going down that path. My concern is that the "fan-out" boxes are typically run-of-the-mill switches, like Cisco Catalysts, that probably have been design without any security aspirations. I wouldn't be surprised if those switches could be attacked and tricked into leaking packets between VLANs. Are there any studies devoted to this issue, or reports of successful attacks against 802.1q separation that I should be aware of? In our environment we use firewalls with rather large numbers of interfaces (typically 15 ~ 25), mostly based on Xylan switches running FW-1. This product line has disappeared now and all alternative solutions seem to be relying on VLAN trunking. I'm not comfortable with the idea yet, but I wasn't comfortable with the Xylan switches in the beginning, either. I'd like to think I'm too paranoid, but then, that's my job... Cheers Steffen. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Firewalls and 802.1q trunking Eric Vyncke (Dec 04)
- Re: Firewalls and 802.1q trunking Luca Berra (Dec 04)
- <Possible follow-ups>
- Re: Firewalls and 802.1q trunking Steffen Kluge (Dec 04)
- RE: Firewalls and 802.1q trunking Steve Evans (Dec 10)
- RE: Firewalls and 802.1q trunking Marcus J. Ranum (Dec 11)
- Re: Firewalls and 802.1q trunking Dragos Ruiu (Dec 12)
- RE: Firewalls and 802.1q trunking Bill Royds (Dec 13)
- Re: Firewalls and 802.1q trunking t (Dec 13)
- Re: Firewalls and 802.1q trunking Dragos Ruiu (Dec 12)
- RE: Firewalls and 802.1q trunking Sloane, David (Dec 11)
- RE: Firewalls and 802.1q trunking Marcus J. Ranum (Dec 12)
- RE: Firewalls and 802.1q trunking R. DuFresne (Dec 13)
- RE: Firewalls and 802.1q trunking Marcus J. Ranum (Dec 12)
(Thread continues...)