If the ports of a bridging firewall are separated only by VLANs on a single switch, then if the switch can be compromised such that the VLAN separation collapses, it could be possible to bypass the bridging firewall entirely. Since the IP network is the same on both sides of the bridging firewall, the transparent bridging firewall transparently disappears.
In other words, the switch itself is a single point of security failure. It is not necessary to compromise the firewall. With the use of a routing firewall, it would still be necessary to compromise both the switch (to bypass the firewall) and the border router (to route to the inside). Non-transparency becomes a security feature. Either way, these attacks are purely hypothetical and would potentially require gaining configure priviledges on these devices. However, it may be an easier task than breaking the firewall. At 02:58 AM 4/16/2002, Schouten, Diederik (Diederik) wrote: > > 1) different switch on the each side of the firewall > > 2) different switch on the each side of the firewall, > > accidentally cabled together > > 3) single switch connects both sides of the firewall, > > accidentally no VLAN separation > > 4) single managed switch connects both sides of the firewall, > > separated by VLAN > > > > 1) Only penetration attack is to break the firewall > > 2) If a bridging firewall is in use then the switches > > short-circuit the firewall and the network is wide open. > > If a routing firewall is in use, a successful attack > > requires the internet router's inside interface to be > > reconfigured to use an address on the firewall's internal > > network. If the router's inside address is not > > reconfigured, return packets from the inside would still > > traverse the firewall, which should discard them > > (wrong state). > > 3) exactly the same as #2. > >If you break a bridging firewall, it just blocks all, it stops >the bridging. As noted above, it would not be necessary to break the firewall if it could be simply bypassed. However if the bridging firewall were used in place of a switch, this is a different and far more secure architecture. Connecting the router directly to the firewall removes the hypothetical vulnerability of an attack on the interconnect infrastructure - unless someone starts making a crossover cable with integrated VLANs. :-) > > 4) With a bridging firewall, the attacker can penetrate by > > breaking the switch (assuming remotely-exploitable vulnerabilites). > > With a routing firewall, attacker must break both the router and > > the switch. Same router configuration applies as for #2. > >A bridging firewall will still chek, VLAN-tags, host ranges assigned >per VLAN, zones assigned per interface, VLAN's per zone etc. > >Breaking the switch will not break the firewall. Bypassing the firewall by breaking the switch doesn't require breaking the firewall itself. > > So... are routing firewalls more secure than bridging ones in this > > example? I think examples #2 and #3 are more likely than someone > > accidentally connecting and configuring a new router which > > short-circuits the firewall. > >I agree with situation #2 only. I believe I've shown examples where #3 and #4 can be collapsed into #2. Regards, -Jim _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
