A few other things to be aware of depending on the bridge vendor; The 802.1Q spec defines two modes of forwarding databases, shared and independent. With a shared database all vlans use a single forwarding database. It is possible in this situation for a port to be moved from one vlan to another and keep it's forwarding database intact - thus allowing traffic between vlans for this mac address. Be sure that you understand the forwarding database structure of the bridge in use. Some support only shared, others support only Independent and still others are configurable for either mode. Also in 802.1Q there is a protocol call GARP VLAN Registration Protocol (GARP - Generic Attribute Registration Protocol defined in 802.1D). If this is enabled and/or supported on your bridge and some ill intentioned person is aware of it's operation they could potentially make the ports attached to your firewalls member of multiple vlans - vlan tagged frames would have to be supported at the firewall for this to be an issue. In general bridge vlans are tight, but be aware of their operation as it pertains to the bridge vendor. Load testing was an excellent suggestion. I work for Cisco but do not (at least not yet) work on bridging products and this should not be construed as the "Cisco Line". Just a little disclaimer to make me feel better. Good luck, Andy -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ben Nagy Sent: Monday, November 27, 2000 6:25 PM To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED] Subject: RE: multiple VLANs in same physical chassis and firewall integration > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, 28 November 2000 4:46 > To: [EMAIL PROTECTED] > Subject: multiple VLANs in same physical chassis and firewall > integration > > > Here's an interesting network/firewall integration issue that > I am seeing > pop up in multiple areas. > > One Cisco switching chassis, a two ported firewall, and two > VLANs. One > VLAN considered untrusted, one considered trusted; X firewall > plugged into > each of these logical VLANs with untrusted interface plugged > into untrusted > VLAN port, etc. In what way is this secure? This should be an FAQ. > I am not fond > of this setup, > but can this be documented secure? Folks hereabouts aren't too fond of it either. The general consensus is that "VLANs were not intended to be a security solution - don't use them as such". > Can anyone claim to have > circumvented > the logical partitioning the VLANs provide (short of having > physical access > and moving cables or gaining administrative access to the switch and > reprogramming). OK - without just relying on rhetoric, the key points where VLANs fail are: - If the switch is overloaded, some leak traffic on all ports - If there are any trunk ports in the VLAN, some tricks are sometimes possible (there is a Bugtraq post about a trunking issue on some Cisco hardware - go look for it) - I've heard rumours that some switches can be fooled by simple manual tag spoofing (but I'd need to see that to believe it). SO. If you have two VLANs with no trunking at all and you've load tested the switch and done tag spoofing, I guess you could consider it. It will still make people itchy though. Having said that, lots of telcos are rolling out these sort of solutions for customers that want private networks - MPLS and virtual routers will make this sort of thing very attractive at the upper end and the paradigm is bound to filter down. Personally, I think it's time for us (security people) to start thinking about the possibilities of using layer-2 devices to separate networks instead of air. Just because it's been bad in the past doesn't mean that it cannot be done securely as an artchitecture. However, I do still advocate extreme caution - this is not a solution which is in line with dogma and so the consequences of a poor or ill-considered setup may be nasty if there's ever an external audit. Also note that most of the attacks against this sort of architecture involves access to layer-2 - not usually possible if you're building firewalls to protect from the Internet (although you must consider the risk of a two-stage attack). > > Looking for fodder to shoot this design spec down and > physically seperate > the security domains or for respected background on the > security of doing so. I'm not sure which of those (if any) I just provided. ;) > > bc Cheers, -- Ben Nagy Marconi Services Network Integration Specialist Mb: +61 414 411 520 PGP Key ID: 0x1A86E304 - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
