[isalist] Re: FW: Layer 3 and Firewall

• From: "Glenn P. JOHNSTON" <glenn.johnston@xxxxxxxxxxx>
• To: <isalist@xxxxxxxxxxxxx>
• Date: Fri, 6 Oct 2006 15:00:45 +1000

I agree, you have to assume that your network admins / server support / 
application support / help desk people etc are basically above board and are 
not intentionally going to do damage, but, first hand I received a very harsh 
reality check several years ago.
 
The network admin, 11 years with the company, received less than he deemed he 
should in the annual bonus & salary review, after a less then spectacular year 
for the company in general. He went totally off the rails, and reeked mischief 
mayhem havoc and disaster through the network the following Sunday night, 
emailed the salary list and bonus to most of the employees home email address,  
emailed his thoughts about the worthlessness of the company in general to the 
entire customer list, and formatted the system drives on the domain controllers.
 
He was charged and did some time, but the cost to the company was huge.
 
He was trusted and had admin passwords for just about everything, when in 
reality, in  a 'least privilege' environment his capability to do damage would 
have been severely limited, he would not have had admin level access to the SQL 
server hosting the HR database for instance, which he had no need for in his 
day to day job resonsibilities.
 
The week following Sunday night was not pretty. Fortunately I was only 
contracting at the company for 2 1/2 days a week at the time, but there were 
sure some sore bums walking around.

________________________________

From: isalist-bounce@xxxxxxxxxxxxx on behalf of Jim Harrison
Sent: Fri 06/Oct/2006 14:38
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: FW: Layer 3 and Firewall



http://www.ISAserver.org <http://www.isaserver.org/> 
-------------------------------------------------------
 
While I agree with Tom that VLANs are a management; not a security
mechanism, the idea that "the administrator is a threat" is just plain
stupid.  If you're trying to mitigate threats created by your domain,
network or application administrators, you've already lost the war -
period.  If you can't trust your network admin to not #$%^ up your VLAN
structure with malicious intent, you need to review your interview
processes.

Can you use VLANs to logically segment your network within the same
physical devices?  Absolutely.
Can you use this management mechanism to improve your network security?
AbsoFreakinLutely Not; again - all you are doing with VLANS is both
complicating and simplifying your network structure in the same effort.

Did I do this within my own ISA test lab?  Ask Tom - I had 11 separate
networks all operating through a single ISA that only had two physical
interfaces.  ..but this deployment was only to logically isolate one
test bench or rack from the rest and minimize malware effects.  If I
couldn't trust my network admin (me) to maintain segment separation,
what the #$%$% is doing in this position?!?

Quit trying to mitigate bad decisions with techniques; technology can't
help you here.

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thomas W Shinder
Sent: Thursday, October 05, 2006 6:38 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] FW: Layer 3 and Firewall

http://www.ISAserver.org <http://www.isaserver.org/> 
-------------------------------------------------------
 
Nice description on why you don't want to use VLAN segmentation as a
security measure.


Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of dubaisans dubai
Sent: Thursday, October 05, 2006 1:32 AM
To: pen-test@xxxxxxxxxxxxxxxxx
Subject: Layer 3 and Firewall

Is it a BAD idea to have multiple logical segments of a Firewall
connected to the same physical switch?

One of our customers has a Cisco 6509. All VLANs are Layer 2. The server
segment multiple User LANs are all terminated here on the same 6509. The
default gateway for these Layer 2 VLAN is on the Checkpoint Firewall. So
al access from UserLAN to server segment is through the Firewall
rulebase.

The threat I see is if the network switch administrator wants to bypass
Firewall, he can just disconnect the Firewall links and make the VLANs
Layer 3 and there is no security. After malicious activites he can very
well connect the Firewall and revert back to Layer 2.

Is that a valid threat ? Is it High risk ? What controls are possible ?
Are multiple physical switches required.?

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016
00000008bOW
------------------------------------------------------------------------



------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com <http://www.techgenix.com/> 
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx


All mail to and from this domain is GFI-scanned.

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/ 
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com <http://www.techgenix.com/> 
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx

• Follow-Ups:
  • [isalist] Re: FW: Layer 3 and Firewall
    • From: Jim Harrison

• References:
  • [isalist] FW: Layer 3 and Firewall
    • From: Thomas W Shinder
  • [isalist] Re: FW: Layer 3 and Firewall
    • From: Jim Harrison

Other related posts:

• » [isalist] FW: Layer 3 and Firewall
• » [isalist] Re: FW: Layer 3 and Firewall
• » [isalist] Re: FW: Layer 3 and Firewall
• » [isalist] Re: FW: Layer 3 and Firewall
• » [isalist] Re: FW: Layer 3 and Firewall
• » [isalist] Re: FW: Layer 3 and Firewall
• » [isalist] Re: FW: Layer 3 and Firewall
• » [isalist] Re: FW: Layer 3 and Firewall
• » [isalist] Re: FW: Layer 3 and Firewall

1. Home
2. isalist
3. Archive
4. 10-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---