Jim MacLeod wrote:
>
> [one single VLAN switch connecting both int and ext getting r00ted]
> Since the IP network is the same on both sides of the bridging
> firewall, the transparent bridging firewall transparently disappears.
Here is where I need to do my spin-around-and-stab-myself-in-the-back
act:
The same is true of routing firewalls with proxy ARPing enabled.
To make matters a bit worse, it is, AFAIK, quite common to use
proxy ARP to transparently plug routing firewalls into an
existing network (we're talking small/medium sized places here),
rather than have to call your ISP and ask for a new stub network
between their router (which you have zero access to) and the
firewall, something which may well take up to 48 hours
with some ISPs. And that's not taking week-ends into account.
The only advantage for the routing firewall with proxy ARP enabled
is that it'll take a couple more minutes for all the ARP caches to
update, during which, one or two clued people on the protected
network may realize what is going on and react. (Shyeah right :P)
> Either way, these attacks are purely hypothetical and would potentially
> require gaining configure priviledges on these devices. However, it may be
> an easier task than breaking the firewall.
Nah. Poor understanding of how VLANs work and a sleepy/stressed out
admin is all it takes. That, or a piss-poor VLAN implementation
in the switch. Or both.
--
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 �RNSK�LDSVIK, Sweden
Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50 WWW: http://www.clavister.com
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
