Firewall Wizards mailing list archives

Re: Firewalls and 802.1q trunking

From: Jonn Martell <jonn.martell () ubc ca>
Date: Wed, 27 Nov 2002 17:08:06 -0800 (PST)


Additional things to watch out for: IVL/SVL

With SVL (shared vlan learning) a MAC address cannot show up on two
different VLANs without causing problems.  If you are going to do this,
make sure your VLAN switch supports IVL (independent VLAN learning).

You also need to keep management of your switch locked down to prevent
someone from changing the VLAN settings.


On 27 Nov 2002, Steffen Kluge wrote:

Date: 27 Nov 2002 11:30:44 +1100
From: Steffen Kluge <kluge () fujitsu com au>
To: "'firewall-wizards () honor icsalabs com'"
    <firewall-wizards () honor icsalabs com>
Subject: [fw-wiz] Firewalls and 802.1q trunking

Hi everyone,
I'd like to solicit your opinion on the popular trend of
equipping firewalls with (almost) arbitrary numbers of interfaces
by means of VLAN trunking. Many FW vendors (including Nokia,
NetScreen, and the like) are going down that path.

My concern is that the "fan-out" boxes are typically run-of-the-mill
switches, like Cisco Catalysts, that probably have been design without
any security aspirations. I wouldn't be surprised if those switches
could be attacked and tricked into leaking packets between VLANs.

Are there any studies devoted to this issue, or reports of successful
attacks against 802.1q separation that I should be aware of?

In our environment we use firewalls with rather large numbers of
interfaces (typically 15 ~ 25), mostly based on Xylan switches running
FW-1. This product line has disappeared now and all alternative
solutions seem to be relying on VLAN trunking.

I'm not comfortable with the idea yet, but I wasn't comfortable with
the Xylan switches in the beginning, either. I'd like to think I'm too
paranoid, but then, that's my job...

Cheers
Steffen.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Firewalls and 802.1q trunking Steffen Kluge (Nov 26)
- Re: Firewalls and 802.1q trunking Two Dog Flats (Nov 26)
- Re: Firewalls and 802.1q trunking Carson Gaspar (Nov 26)
- Re: Firewalls and 802.1q trunking David Pick (Nov 27)
  - Re: Firewalls and 802.1q trunking ark (Nov 27)
  - Re: Firewalls and 802.1q trunking R. DuFresne (Nov 27)
- Re: Firewalls and 802.1q trunking Jonn Martell (Nov 27)
- <Possible follow-ups>
- Re: Firewalls and 802.1q trunking Pearsall, Jim (Nov 27)
  - Re: Firewalls and 802.1q trunking David Pick (Nov 27)
- Re: Firewalls and 802.1q trunking Stephen Gill (Nov 27)