[isalist] Re: FW: Layer 3 and Firewall

• From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
• To: <isalist@xxxxxxxxxxxxx>
• Date: Thu, 5 Oct 2006 21:38:35 -0700

http://www.ISAserver.org
-------------------------------------------------------
  
While I agree with Tom that VLANs are a management; not a security
mechanism, the idea that "the administrator is a threat" is just plain
stupid.  If you're trying to mitigate threats created by your domain,
network or application administrators, you've already lost the war -
period.  If you can't trust your network admin to not #$%^ up your VLAN
structure with malicious intent, you need to review your interview
processes.

Can you use VLANs to logically segment your network within the same
physical devices?  Absolutely.
Can you use this management mechanism to improve your network security?
AbsoFreakinLutely Not; again - all you are doing with VLANS is both
complicating and simplifying your network structure in the same effort.

Did I do this within my own ISA test lab?  Ask Tom - I had 11 separate
networks all operating through a single ISA that only had two physical
interfaces.  ..but this deployment was only to logically isolate one
test bench or rack from the rest and minimize malware effects.  If I
couldn't trust my network admin (me) to maintain segment separation,
what the #$%$% is doing in this position?!?

Quit trying to mitigate bad decisions with techniques; technology can't
help you here.

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thomas W Shinder
Sent: Thursday, October 05, 2006 6:38 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] FW: Layer 3 and Firewall

http://www.ISAserver.org
-------------------------------------------------------
  
Nice description on why you don't want to use VLAN segmentation as a
security measure. 


Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of dubaisans dubai
Sent: Thursday, October 05, 2006 1:32 AM
To: pen-test@xxxxxxxxxxxxxxxxx
Subject: Layer 3 and Firewall

Is it a BAD idea to have multiple logical segments of a Firewall
connected to the same physical switch?

One of our customers has a Cisco 6509. All VLANs are Layer 2. The server
segment multiple User LANs are all terminated here on the same 6509. The
default gateway for these Layer 2 VLAN is on the Checkpoint Firewall. So
al access from UserLAN to server segment is through the Firewall
rulebase.

The threat I see is if the network switch administrator wants to bypass
Firewall, he can just disconnect the Firewall links and make the VLANs
Layer 3 and there is no security. After malicious activites he can very
well connect the Firewall and revert back to Layer 2.

Is that a valid threat ? Is it High risk ? What controls are possible ?
Are multiple physical switches required.?

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016
00000008bOW
------------------------------------------------------------------------



------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx 


All mail to and from this domain is GFI-scanned.

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/  
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ 
ISA Server Blogs: http://blogs.isaserver.org/ 
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com 
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
Report abuse to listadmin@xxxxxxxxxxxxx 

• Follow-Ups:
  • [isalist] Re: FW: Layer 3 and Firewall
    • From: Glenn P. JOHNSTON

• References:
  • [isalist] FW: Layer 3 and Firewall
    • From: Thomas W Shinder

Other related posts:

• » [isalist] FW: Layer 3 and Firewall
• » [isalist] Re: FW: Layer 3 and Firewall
• » [isalist] Re: FW: Layer 3 and Firewall
• » [isalist] Re: FW: Layer 3 and Firewall
• » [isalist] Re: FW: Layer 3 and Firewall
• » [isalist] Re: FW: Layer 3 and Firewall
• » [isalist] Re: FW: Layer 3 and Firewall
• » [isalist] Re: FW: Layer 3 and Firewall
• » [isalist] Re: FW: Layer 3 and Firewall

1. Home
2. isalist
3. Archive
4. 10-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---