First out, I must say I am impressed that you didn't just
flame me right back, considering my mood at the time :)
Diederik Schouten wrote:
>
> Seems like your routed firewall is not just routing isn't it?
> Your devices on eth0 are able to reach the hosts on eth1 I suppose?
Definately.
> That makes it a combined routing/bridging virewall...
No, it makes it a proxy-ARPing firewall.
> Can I ask which one you are using?
Ours? :)
<Ouch damnit, I did it again, didn't I? Just flame me, mkay?>
> [on traceroute]
> I'm not talking about blocking a protocol.
> When the firewall is not a hop, it doesn't show up.
True, but you usually want to block all inbound traceroutes
(firewalks) through a firewall?
(Also see stuff about local firewall vulnerabilities below.)
> > Nmap will tell me it is there in about 10 seconds. I betcha its
> > signature sticks out like a sore thumb too.
>
> I betcha it won't.
> What ports would NMAP check to see if it's there?
All, if I told it to :)
> How to decide what/where a device is when it does not
> respond to anything?
It doesn't respond to ARPs for its management IP? *boggle* :)
(Yes, I'm assuming management IP living on connected networks.
If not, I can counter with routing firewalls having a separate
management interface.)
> [on VLANs]
> And still... where would the "intruder" need to be to break you VLAN
> security? At least his trojan needs to be located on the same LAN...
I was sort of thinking of a trunk between the firewall out to
a switch which has hard-coded VLAN tagging/untagging per port,
which, to my mind, is the most common use for VLANs in a
firewalled environment. On the (erronous?) assumption that
your VLANs will be enough to separate different security
zones. But this belongs in the "VLANs and security" thread :)
> I'm not sure if your firewall is doing proxy arp, but I suppose
> so, I prefer layer2 bridging over proxy arp any time.
Why? (Sans the "I can see your MAC address" argument. See below)
> More improtant than bridged vs routed is how secure the firewall really is.
I agree.
The added obscurity of a bridged firewall _MAY_ add a tiny bit
of security if the firewall itself is susceptible to attack.
(Read: built on top of general-purpose OS, or sucks in general)
But considering the case of a well-built routing firewall, where
"access to the firewall itself" translates roughly to
if destip==local_mgmtip
if is_allowed_manager_srciface(srciface)
if is_allowed_manager_ip(srcip)
pass_to_mgmt_subroutines;
at some point well past the ruleset lookup, I really don't see
where the difference is.
Here's something for you to chew on: If one can't trust the
firewall's packet processing, isn't it possible to argue that
bridged firewalls are even WORSE off than routing ones, given
that they pick up every single packet on the LAN? I don't even
have to _know_ where the firewall is in order to fire at it! :)
/Mike, looking to spark some new debate after having had Paul
run rough-shod over him
--
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 �RNSK�LDSVIK, Sweden
Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50 WWW: http://www.clavister.com
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
