I agree, you have to assume that your network admins / server support / application support / help desk people etc are basically above board and are not intentionally going to do damage, but, first hand I received a very harsh reality check several years ago. The network admin, 11 years with the company, received less than he deemed he should in the annual bonus & salary review, after a less then spectacular year for the company in general. He went totally off the rails, and reeked mischief mayhem havoc and disaster through the network the following Sunday night, emailed the salary list and bonus to most of the employees home email address, emailed his thoughts about the worthlessness of the company in general to the entire customer list, and formatted the system drives on the domain controllers. He was charged and did some time, but the cost to the company was huge. He was trusted and had admin passwords for just about everything, when in reality, in a 'least privilege' environment his capability to do damage would have been severely limited, he would not have had admin level access to the SQL server hosting the HR database for instance, which he had no need for in his day to day job resonsibilities. The week following Sunday night was not pretty. Fortunately I was only contracting at the company for 2 1/2 days a week at the time, but there were sure some sore bums walking around. ________________________________ From: isalist-bounce@xxxxxxxxxxxxx on behalf of Jim Harrison Sent: Fri 06/Oct/2006 14:38 To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: FW: Layer 3 and Firewall http://www.ISAserver.org <http://www.isaserver.org/> ------------------------------------------------------- While I agree with Tom that VLANs are a management; not a security mechanism, the idea that "the administrator is a threat" is just plain stupid. If you're trying to mitigate threats created by your domain, network or application administrators, you've already lost the war - period. If you can't trust your network admin to not #$%^ up your VLAN structure with malicious intent, you need to review your interview processes. Can you use VLANs to logically segment your network within the same physical devices? Absolutely. Can you use this management mechanism to improve your network security? AbsoFreakinLutely Not; again - all you are doing with VLANS is both complicating and simplifying your network structure in the same effort. Did I do this within my own ISA test lab? Ask Tom - I had 11 separate networks all operating through a single ISA that only had two physical interfaces. ..but this deployment was only to logically isolate one test bench or rack from the rest and minimize malware effects. If I couldn't trust my network admin (me) to maintain segment separation, what the #$%$% is doing in this position?!? Quit trying to mitigate bad decisions with techniques; technology can't help you here. -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Thursday, October 05, 2006 6:38 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] FW: Layer 3 and Firewall http://www.ISAserver.org <http://www.isaserver.org/> ------------------------------------------------------- Nice description on why you don't want to use VLAN segmentation as a security measure. Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) -----Original Message----- From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of dubaisans dubai Sent: Thursday, October 05, 2006 1:32 AM To: pen-test@xxxxxxxxxxxxxxxxx Subject: Layer 3 and Firewall Is it a BAD idea to have multiple logical segments of a Firewall connected to the same physical switch? One of our customers has a Cisco 6509. All VLANs are Layer 2. The server segment multiple User LANs are all terminated here on the same 6509. The default gateway for these Layer 2 VLAN is on the Checkpoint Firewall. So al access from UserLAN to server segment is through the Firewall rulebase. The threat I see is if the network switch administrator wants to bypass Firewall, he can just disconnect the Firewall links and make the VLANs Layer 3 and there is no security. After malicious activites he can very well connect the Firewall and revert back to Layer 2. Is that a valid threat ? Is it High risk ? What controls are possible ? Are multiple physical switches required.? ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016 00000008bOW ------------------------------------------------------------------------ ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com <http://www.techgenix.com/> ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com <http://www.techgenix.com/> ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx