[isalist] Re: FW: Layer 3 and Firewall

I'll bet the 20-20-hindsight committee determined that "this might have
been preventable if...", too.

As long as there is anyone with "god-like powers", the risk is always
there.

I won't be the one to perpetuate the idea that "there are certain folks
you don't piss off", but human nature being what it is, this remains a
fact.

"Absolute power corrupts absolutely"?

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Glenn P. JOHNSTON
Sent: Thursday, October 05, 2006 10:01 PM
To: isalist@xxxxxxxxxxxxx
Subject: RE: [isalist] Re: FW: Layer 3 and Firewall

 

I agree, you have to assume that your network admins / server support /
application support / help desk people etc are basically above board and
are not intentionally going to do damage, but, first hand I received a
very harsh reality check several years ago.

 

The network admin, 11 years with the company, received less than he
deemed he should in the annual bonus & salary review, after a less then
spectacular year for the company in general. He went totally off the
rails, and reeked mischief mayhem havoc and disaster through the network
the following Sunday night, emailed the salary list and bonus to most of
the employees home email address,  emailed his thoughts about the
worthlessness of the company in general to the entire customer list, and
formatted the system drives on the domain controllers.

 

He was charged and did some time, but the cost to the company was huge.

 

He was trusted and had admin passwords for just about everything, when
in reality, in  a 'least privilege' environment his capability to do
damage would have been severely limited, he would not have had admin
level access to the SQL server hosting the HR database for instance,
which he had no need for in his day to day job resonsibilities.

 

The week following Sunday night was not pretty. Fortunately I was only
contracting at the company for 2 1/2 days a week at the time, but there
were sure some sore bums walking around.

 

________________________________

From: isalist-bounce@xxxxxxxxxxxxx on behalf of Jim Harrison
Sent: Fri 06/Oct/2006 14:38
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: FW: Layer 3 and Firewall

http://www.ISAserver.org <http://www.isaserver.org/> 
-------------------------------------------------------
 
While I agree with Tom that VLANs are a management; not a security
mechanism, the idea that "the administrator is a threat" is just plain
stupid.  If you're trying to mitigate threats created by your domain,
network or application administrators, you've already lost the war -
period.  If you can't trust your network admin to not #$%^ up your VLAN
structure with malicious intent, you need to review your interview
processes.

Can you use VLANs to logically segment your network within the same
physical devices?  Absolutely.
Can you use this management mechanism to improve your network security?
AbsoFreakinLutely Not; again - all you are doing with VLANS is both
complicating and simplifying your network structure in the same effort.

Did I do this within my own ISA test lab?  Ask Tom - I had 11 separate
networks all operating through a single ISA that only had two physical
interfaces.  ..but this deployment was only to logically isolate one
test bench or rack from the rest and minimize malware effects.  If I
couldn't trust my network admin (me) to maintain segment separation,
what the #$%$% is doing in this position?!?

Quit trying to mitigate bad decisions with techniques; technology can't
help you here.

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thomas W Shinder
Sent: Thursday, October 05, 2006 6:38 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] FW: Layer 3 and Firewall

http://www.ISAserver.org <http://www.isaserver.org/> 
-------------------------------------------------------
 
Nice description on why you don't want to use VLAN segmentation as a
security measure.


Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of dubaisans dubai
Sent: Thursday, October 05, 2006 1:32 AM
To: pen-test@xxxxxxxxxxxxxxxxx
Subject: Layer 3 and Firewall

Is it a BAD idea to have multiple logical segments of a Firewall
connected to the same physical switch?

One of our customers has a Cisco 6509. All VLANs are Layer 2. The server
segment multiple User LANs are all terminated here on the same 6509. The
default gateway for these Layer 2 VLAN is on the Checkpoint Firewall. So
al access from UserLAN to server segment is through the Firewall
rulebase.

The threat I see is if the network switch administrator wants to bypass
Firewall, he can just disconnect the Firewall links and make the VLANs
Layer 3 and there is no security. After malicious activites he can very
well connect the Firewall and revert back to Layer 2.

Is that a valid threat ? Is it High risk ? What controls are possible ?
Are multiple physical switches required.?

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016
00000008bOW
------------------------------------------------------------------------



------------------------------------------------------
List Archives: http://www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com <http://www.techgenix.com/> 
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx


All mail to and from this domain is GFI-scanned.

------------------------------------------------------
List Archives: http://www.freelists.org/archives/isalist/ 
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com <http://www.techgenix.com/> 
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx


All mail to and from this domain is GFI-scanned.

Other related posts: