[isalist] Re: FW: Layer 3 and Firewall

• From: "Gerald G. Young" <g.young@xxxxxxxx>
• To: <isalist@xxxxxxxxxxxxx>
• Date: Fri, 6 Oct 2006 10:22:34 -0400

http://www.ISAserver.org
-------------------------------------------------------

VLANs not a security mechanism?  I suppose it depends on your definition
of "security mechanism".  Isolation of virtual broadcast domains seems
like something that has security applications to me.

In any case, yes, I agree about "the administrator is a threat" being a
bit overboard given the very purpose they serve. :)

For what it's worth though, here is a link to a VLAN Security White
Paper published by Cisco for the 6500 series of switches.  It contains
VLAN Security Best Practices.

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_pap
er09186a008013159f.shtml

Cordially yours,
Jerry G. Young II
Applications Engineer, Platform Engineering
Enterprise Hosting
NTT America, an NTT Communications Company
 
22451 Shaw Rd.
Sterling, VA 20166
 
Office: 571-434-1319
Fax: 703-333-6749
Email: g.young@xxxxxxxx

> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Jim Harrison
> Sent: Friday, October 06, 2006 12:39 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: FW: Layer 3 and Firewall
> 
> http://www.ISAserver.org
> -------------------------------------------------------
> 
> While I agree with Tom that VLANs are a management; not a security
> mechanism, the idea that "the administrator is a threat" is just plain
> stupid.  If you're trying to mitigate threats created by your domain,
> network or application administrators, you've already lost the war -
> period.  If you can't trust your network admin to not #$%^ up your
VLAN
> structure with malicious intent, you need to review your interview
> processes.
> 
> Can you use VLANs to logically segment your network within the same
> physical devices?  Absolutely.
> Can you use this management mechanism to improve your network
security?
> AbsoFreakinLutely Not; again - all you are doing with VLANS is both
> complicating and simplifying your network structure in the same
effort.
> 
> Did I do this within my own ISA test lab?  Ask Tom - I had 11 separate
> networks all operating through a single ISA that only had two physical
> interfaces.  ..but this deployment was only to logically isolate one
> test bench or rack from the rest and minimize malware effects.  If I
> couldn't trust my network admin (me) to maintain segment separation,
> what the #$%$% is doing in this position?!?
> 
> Quit trying to mitigate bad decisions with techniques; technology
can't
> help you here.
> 
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Thomas W Shinder
> Sent: Thursday, October 05, 2006 6:38 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] FW: Layer 3 and Firewall
> 
> http://www.ISAserver.org
> -------------------------------------------------------
> 
> Nice description on why you don't want to use VLAN segmentation as a
> security measure.
> 
> 
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> MVP -- Microsoft Firewalls (ISA)
> 
> 
> -----Original Message-----
> From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx]
> On Behalf Of dubaisans dubai
> Sent: Thursday, October 05, 2006 1:32 AM
> To: pen-test@xxxxxxxxxxxxxxxxx
> Subject: Layer 3 and Firewall
> 
> Is it a BAD idea to have multiple logical segments of a Firewall
> connected to the same physical switch?
> 
> One of our customers has a Cisco 6509. All VLANs are Layer 2. The
server
> segment multiple User LANs are all terminated here on the same 6509.
The
> default gateway for these Layer 2 VLAN is on the Checkpoint Firewall.
So
> al access from UserLAN to server segment is through the Firewall
> rulebase.
> 
> The threat I see is if the network switch administrator wants to
bypass
> Firewall, he can just disconnect the Firewall links and make the VLANs
> Layer 3 and there is no security. After malicious activites he can
very
> well connect the Firewall and revert back to Layer 2.
> 
> Is that a valid threat ? Is it High risk ? What controls are possible
?
> Are multiple physical switches required.?
> 
>
------------------------------------------------------------------------
> This List Sponsored by: Cenzic
> 
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
>
http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016
> 00000008bOW
>
------------------------------------------------------------------------
> 
> 
> 
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 
> All mail to and from this domain is GFI-scanned.
> 
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx

• Follow-Ups:
  • [isalist] Re: FW: Layer 3 and Firewall
    • From: Jim Harrison

Other related posts:

• » [isalist] FW: Layer 3 and Firewall
• » [isalist] Re: FW: Layer 3 and Firewall
• » [isalist] Re: FW: Layer 3 and Firewall
• » [isalist] Re: FW: Layer 3 and Firewall
• » [isalist] Re: FW: Layer 3 and Firewall
• » [isalist] Re: FW: Layer 3 and Firewall
• » [isalist] Re: FW: Layer 3 and Firewall
• » [isalist] Re: FW: Layer 3 and Firewall
• » [isalist] Re: FW: Layer 3 and Firewall

1. Home
2. isalist
3. Archive
4. 10-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---