The general answer is that VLAN's aren't security tools, while VPN's are
(flawed tho they may be, in their current implementations). It's
particularly bad if you vlan (yep, it's a verb, now :) in such a way as
to have vlans that sit on both sides of a firewall, so that if a vlan
can be jumped, a firewall can be jumped. For example, if you're vlaning
for some type of traffic to go from fw A to fw C, but vlaning other
traffic so that it must be filtered by fw B. Then, you have to consider
the security risk that something might happen that causes traffic to
bypass B by using the A to C vlan. Exploits to jump vlans do exist for
Cisco and other gear.
And with a L3 switch, if the vlaning is done purely based on L3 stuff
(tcp/upd port number, transport protocol), that's almost trivial for a
malicious individual to transport naughty traffic under guise of
something legit. But really, anything you base your vlans on isn't
secure, even fixing mac address to switch port.
The short answer is "no". If you have traffic that needs privacy, use
encryption. The VPN setups discussed aren't difficult to config in
Firewall-1.
HTH,
Michael
Ivan Fox wrote:
>
> Michael;
>
> If these sites use L3 switches, would VLAN provide the same level of
> security as VPN?
>
> Thanks,
>
> ----- Original Message -----
> From: "Michael Batchelder" <[EMAIL PROTECTED]>
> To: "Ivan Fox" <[EMAIL PROTECTED]>
> Cc: "Firewall-Wizards@Nfr. Net" <[EMAIL PROTECTED]>;
> "Firewalls@Lists. Gnac. Net" <[EMAIL PROTECTED]>; "Firewall-1"
> <[EMAIL PROTECTED]>
> Sent: Tuesday, February 13, 2001 7:18 PM
> Subject: Re: [FW1] Can I setup a VPN this way?
>
> > A clarification would be good, here. Are you trying to send VPN traffic
> > from A, thru B, to C and back, or do you want to send traffic from A to
> > both B and C? Either one is possible. The latter scenario is the same
> > as the former scenario with the addition of an A->B VPN tunnel. So you
> > just need to know, at most:
> >
> > 1) how to set up vpn tunnels between two firewalls
> > 2) how to pass vpn tunnels through a firewall
> >
> > I'll assume you want to do IPSec vpn, and not FWZ...
> >
> > For 1, consult the docs and Checkpoint's web site, or www.phoneboy.com.
> > There should be enough info and examples to do that. For 2, to pass
> > IPSec through a fw, you need a rule on B to permit the appropriate IP
> > *protocol*, AH or ESP or both (probably just ESP). Both protocols are
> > defined service objects, and are in the service group "IPSec". You also
> > need to permit IKE if you're using it, which is UDP, port 500. If
> > you're doing NAT at B, this gets a whole lot hairier...
> >
> > Michael
> >
> > Ivan Fox wrote:
> > >
> > > Let say three are 3 sites in serial, i.e., A --> B --> C. Each site has
> its
> > > own subnet and Check Point VPN-1. Can I setup a continuous VPN using
> Check
> > > Point VPN-1 starting from A and ending at C.
> > >
> > > Any pointers are appreciated.
> > >
> > > Ivan
> > >
> > >
> ============================================================================
> ====
> > > To unsubscribe from this mailing list, please see the instructions
> at
> > > http://www.checkpoint.com/services/mailing.html
> > >
> ============================================================================
> ====
> >
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
