> 1) different switch on the each side of the firewall > 2) different switch on the each side of the firewall, > accidentally cabled together > 3) single switch connects both sides of the firewall, > accidentally no VLAN separation > 4) single managed switch connects both sides of the firewall, > separated by VLAN > > 1) Only penetration attack is to break the firewall > 2) If a bridging firewall is in use then the switches > short-circuit the firewall and the network is wide open. > If a routing firewall is in use, a successful attack > requires the internet router's inside interface to be > reconfigured to use an address on the firewall's internal > network. If the router's inside address is not > reconfigured, return packets from the inside would still > traverse the firewall, which should discard them > (wrong state). > 3) exactly the same as #2.
If you break a bridging firewall, it just blocks all, it stops the bridging. > 4) With a bridging firewall, the attacker can penetrate by > breaking the switch (assuming remotely-exploitable vulnerabilites). > With a routing firewall, attacker must break both the router and > the switch. Same router configuration applies as for #2. A bridging firewall will still chek, VLAN-tags, host ranges assigned per VLAN, zones assigned per interface, VLAN's per zone etc. Breaking the switch will not break the firewall. > So... are routing firewalls more secure than bridging ones in this > example? I think examples #2 and #3 are more likely than someone > accidentally connecting and configuring a new router which > short-circuits the firewall. I agree with situation #2 only. Sorry for not going into the VLAN discussion... _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
