There's some convergeance on the routing vs. bridging debate and the VLAN debate.
Consider what an attacker must do to bypass the firewall in the following scenarios. Note that I am deliberately ignoring DoS attacks as those are generally easy and don't leak information: 1) different switch on the each side of the firewall 2) different switch on the each side of the firewall, accidentally cabled together 3) single switch connects both sides of the firewall, accidentally no VLAN separation 4) single managed switch connects both sides of the firewall, separated by VLAN Here are my answers. Note that in each case breaking the firewall will work. Also note that "attacker" can also be read as "confused admin misconfiguring equipment": 1) Only penetration attack is to break the firewall 2) If a bridging firewall is in use then the switches short-circuit the firewall and the network is wide open. If a routing firewall is in use, a successful attack requires the internet router's inside interface to be reconfigured to use an address on the firewall's internal network. If the router's inside address is not reconfigured, return packets from the inside would still traverse the firewall, which should discard them (wrong state). 3) exactly the same as #2. 4) With a bridging firewall, the attacker can penetrate by breaking the switch (assuming remotely-exploitable vulnerabilites). With a routing firewall, attacker must break both the router and the switch. Same router configuration applies as for #2. So... are routing firewalls more secure than bridging ones in this example? I think examples #2 and #3 are more likely than someone accidentally connecting and configuring a new router which short-circuits the firewall. I think this also begs a question on the VLAN debate: At 01:25 PM 4/15/2002, Mikael Olsson wrote: >Overload the MAC<>port mapping tables of the switches on the >internal lan, through the firewall. - Foolproof recipe for >turning any switch into a hub (well, almost a hub -- it'll >still run full duplex). Will overloading the CAM table (or any other Layer 2 attack) on a switch with VLANs configured turn it into one big hub or will the VLAN mapping remain unaffected, resulting in many small hubs? For example, assume that ports 1-4 are on VLAN 1 and 5-8 are on VLAN 2, and that a router or firewall is required to route between the VLANs. If the MAC<->port table on the switch is overloaded, will traffic within VLAN 1 be visible on VLAN 2? If VLAN integrity is maintained in the face of a L2 attack (as opposed to gaining management access to the switch), that could imply that VLANs are less insecure than the recent debate implies. It might further imply that the switch management itself must be compromised and the VLANs remapped or removed. It may be safe to assume that using VLANs requires about as much security diligence as setting up the internet router. As long as management access is well-protected, there shouldn't be a problem. Regards, -Jim _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
