[isalist] FW: Layer 3 and Firewall

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
• To: <isalist@xxxxxxxxxxxxx>
• Date: Thu, 5 Oct 2006 20:38:22 -0500

http://www.ISAserver.org
-------------------------------------------------------

Nice description on why you don't want to use VLAN segmentation as a
security measure. 


Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of dubaisans dubai
Sent: Thursday, October 05, 2006 1:32 AM
To: pen-test@xxxxxxxxxxxxxxxxx
Subject: Layer 3 and Firewall

Is it a BAD idea to have multiple logical segments of a Firewall
connected to the same physical switch?

One of our customers has a Cisco 6509. All VLANs are Layer 2. The
server segment multiple User LANs are all terminated here on the same
6509. The default gateway for these Layer 2 VLAN is on the Checkpoint
Firewall. So al access from UserLAN to server segment is through the
Firewall rulebase.

The threat I see is if the network switch administrator wants to
bypass Firewall, he can just disconnect the Firewall links and make
the VLANs Layer 3 and there is no security. After malicious activites
he can very well connect the Firewall and revert back to Layer 2.

Is that a valid threat ? Is it High risk ? What controls are possible
? Are multiple physical switches required.?

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016
00000008bOW
------------------------------------------------------------------------



------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx

• Follow-Ups:
  • [isalist] Re: FW: Layer 3 and Firewall
    • From: Jim Harrison

Other related posts:

• » [isalist] FW: Layer 3 and Firewall
• » [isalist] Re: FW: Layer 3 and Firewall
• » [isalist] Re: FW: Layer 3 and Firewall
• » [isalist] Re: FW: Layer 3 and Firewall
• » [isalist] Re: FW: Layer 3 and Firewall
• » [isalist] Re: FW: Layer 3 and Firewall
• » [isalist] Re: FW: Layer 3 and Firewall
• » [isalist] Re: FW: Layer 3 and Firewall
• » [isalist] Re: FW: Layer 3 and Firewall

1. Home
2. isalist
3. Archive
4. 10-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---