thoughts below
--
Jack Coates, Rainfinity SE
t: 650-962-5301 m: 650-280-4376
On Fri, 14 Jul 2000, stcost - Steve Costaras wrote:
>
> I've thought of similar issues concerning the hopping of VLANs.
> However the problem I face is having something like 200 segments
> (each segment can have well over 1000 IP's 4 class C's super netted).
>
> The issues I see are:
>
> High Availability is a must. (2-3 FW's w/ Stonebeat)
>
Are you sure you want to rely on a broadcast (multicast with
SBFC) technology for this level of traffic? You'll have no room to scale
past 1 interface worth of traffic (1GB in this case, or the top of your
future growth scale).
> Security should be as high as we can get it to keep
> each segment from each other.
>
Agreed. Have you considered a more heirarchical structure? For instance,
Aaron suggests grouping hosts by 5's. If that's not feasible or in
addition to doing that, you might group every 100 Mbps into a cluster of
two or three smaller firewalls, which in turn feed a cluster of faster
firewalls. This would also let you divide and conquer in terms of policy,
network objects, &c.
> Maintenance should be low for day-to-day ops (including
> such things as sever failure. Ideally for a 2nd
> level tech to handle. 3rd level reserved for
> the creating of new deployments).
>
More clusters would equal higher maintenance, at least for your level
2's. Of course it wuld also minimize impact of mistakes.
> Able to expand to handle all our client/divisional segments.
> currently around 200 of various sizes.
>
> Handle at least 500Mbit throughput up to a GBit for future
> growth.
>
> Not break the bank in cost.
>
>
> What I was thinking now with the knowledge that 802.1q is not supported
> by either Checkpoint or Sun would be:
>
> Two Cisco 6500's w/ RSM modules (I keep forgetting the new name for the
> module for the 6500 but same thing).
MSM.
> Each client/division would have it's own VLAN. For more redundancy dual
> home each client/division router to both 6500's in case one dies.
>
> Have the 6500's policy route to two or three E450's. The firewalls would
> be attached via a GBit Ethernet to the 6500's.
>
> True you can hop VLANs but with the policy route in place everything
> should end up at the FW anyway.
>
That should bar directed attacks against other boxes but wouldn't bar
snooping. Would it bar an attack against the IOS? I don't remember if you
can stealth IOS, but I doubt it.
>
> Steve
>
>
>
>
> -----Original Message-----
> From: Aaron Turner [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, July 13, 2000 18:44
> To: stcost - Steve Costaras
> Cc: Dominik Weis; [EMAIL PROTECTED]
> Subject: RE: [FW1] FW1 / Solaris w/ 802.1Q (VLAN) Support?
>
>
>
> A few things of varying quality (or lack thereof) come to my mind:
>
> 1) If you feel that you need that much security, then using a single swich
> for this is probably a bad idea. It's a general belief in the security
> community that VLAN's provide you a lot less security then the switch
> manufacturers would like you to believe. It actually doesn't take that
> much work to get packets to jump between VLAN's in most cases. Search the
> Bugtraq archives for VLAN or 802.1Q and you'll find someone who was able
> to use the protocol to jump VLAN's on a Cisco switch. I followed this
> issue closely for quite some time; the last I heard, Cisco blamed the
> 802.1Q spec itself rather than a bug in their implimentation of it.
>
> 2) Last I checked, Checkpoint didn't actually support multiple IP's per
> interfaces. It does work in most cases, but it can cause problems.
> You'd probably be the only person in the world to run 200 IP's on the same
> interface using Firewall-1. If you used a single class C for all the
> systems, then you'd open yourself to gratuitous ARP attacks.
>
> 3) Consider the Checkpoint SecuServer software. With that you can enforce
> a security policy from the firewall management software onto the
> workstations. Not exactly cheap for 200 copies, but it would work. You
> might be able to work out some volume discount. Depending on the amount
> of traffic you'd be using, you might be able to do SecurClient but you'd
> be really limited to the total bandwidth due to the encryption.
>
> 4) Consider a cluster of firewalls with a Gigabit backbone running between
> them and loading them all up with quad cards. I'm sure more expensive
> than option #3, but should be cheaper than an E10K and it would let you do
> your original idea of individual VLAN's.
>
> 5) Do host-based security on each workstation so you don't have to
> protect them from each other, or possibly group them in groups of 5. That
> way you can limit your exposure only 4 other systems should one
> workstation go bad.
>
>
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================