Adam, Lucent's VPN Firewall can certainly provide the segregation you are looking for. We have customers using it in production right now with 6509s to provide virtual firewalls segregated by VLAN.
Note that it is crucial to ensure with the switch vendor and through independent that the VLANs cannot be "hopped" by abusing the 802.1Q protocol. (Past bugs have been corrected by most vendors.) Opponents to this architecture express concerns about misconfiguration and bugs allowing VLANs to be crossed by malicious intruders, so it is important to make yourself comfortable with your switch software as well as its configuration before it is put into production. There are only a few firewalls that support 802.1Q VLAN tags natively. For an independent review, check out the recent Network Computing article at: http://www.networkcomputing.com/1223/1223f5.html Hope this information helps! Best, -David J. Cavuto --------------------------- David J. Cavuto, CISSP. Lead Engineer, Lucent VPN Firewall Lucent Technologies c a v u t o (at) l u c e n t (dot) c o m http://www.lucent.com/security --------------------------- Subject: An obvious mystery to me... VLAN trunking on firewall Date: Thu, 20 Dec 2001 10:55:43 -0700 From: "Adam Hudson" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> Cc: "Aaron Shilts (Aaron Shilts)" <[EMAIL PROTECTED]> This is a multi-part message in MIME format. ------_=_NextPart_001_01C1897F.8B2C55B8 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I am in search of an effective method of trunking (802.1q or ISL) traffic from a firewall to a Cisco 6509 platform (or any switch for that matter). It would be highly desirable to have a firewall (preferably CheckPoint/Nokia) in place that could interface to the switch on one or more links and perform VLAN communication (gig or copper). This would allow me to create many virtual segments for the firewall to deal with, without consuming large quantities of physical interfaces and expenses. =20 Perhaps the industry already has a solution available that I just have not heard of or come across yet? Is there any good hardware around that will perform this need? =20 =20 I have several clients that would benefit from this functionality nicely, since they run many different private WAN connections and have the need to isolate them with switch port level security, layer-3 and firewall evaluation before entering the main sections of the network. =20 =20 Obviously, this could be done with elaborate access lists and firewall IOS features in the MSFC cards, but having the control in Firewall-1 would be a lot easier on administration. =20 Adam Hudson Networking and Security Consultant Office 720-348-0564 Fax 720-294-0778 =20 -- _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
