http://www.ISAserver.org ------------------------------------------------------- Nice description on why you don't want to use VLAN segmentation as a security measure. Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) -----Original Message----- From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of dubaisans dubai Sent: Thursday, October 05, 2006 1:32 AM To: pen-test@xxxxxxxxxxxxxxxxx Subject: Layer 3 and Firewall Is it a BAD idea to have multiple logical segments of a Firewall connected to the same physical switch? One of our customers has a Cisco 6509. All VLANs are Layer 2. The server segment multiple User LANs are all terminated here on the same 6509. The default gateway for these Layer 2 VLAN is on the Checkpoint Firewall. So al access from UserLAN to server segment is through the Firewall rulebase. The threat I see is if the network switch administrator wants to bypass Firewall, he can just disconnect the Firewall links and make the VLANs Layer 3 and there is no security. After malicious activites he can very well connect the Firewall and revert back to Layer 2. Is that a valid threat ? Is it High risk ? What controls are possible ? Are multiple physical switches required.? ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016 00000008bOW ------------------------------------------------------------------------ ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx