[isalist] Re: FW: Layer 3 and Firewall

• From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
• To: <isalist@xxxxxxxxxxxxx>
• Date: Fri, 6 Oct 2006 08:44:26 -0700

http://www.ISAserver.org
-------------------------------------------------------

Go check out the IEEE papers on 802.1Q and decide for yourself.
At no time is this mechanism discussed as a network security mechanism, 
although security ramifications and limitations are touched on.

As Tom points out, this is a logical; not a physical separation mechanism.
If you take "logical isolation" as a security mechanism, then you must also 
believe that your employee agreements protect your company from the "wild 
admin" factor.  

I see large, flightless birds in this discussion...

-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Gerald G. Young
Sent: Friday, October 06, 2006 07:23
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: FW: Layer 3 and Firewall

http://www.ISAserver.org
-------------------------------------------------------
  
VLANs not a security mechanism?  I suppose it depends on your definition of 
"security mechanism".  Isolation of virtual broadcast domains seems like 
something that has security applications to me.

In any case, yes, I agree about "the administrator is a threat" being a bit 
overboard given the very purpose they serve. :)

For what it's worth though, here is a link to a VLAN Security White Paper 
published by Cisco for the 6500 series of switches.  It contains VLAN Security 
Best Practices.

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_pap
er09186a008013159f.shtml

Cordially yours,
Jerry G. Young II
Applications Engineer, Platform Engineering Enterprise Hosting NTT America, an 
NTT Communications Company
 
22451 Shaw Rd.
Sterling, VA 20166
 
Office: 571-434-1319
Fax: 703-333-6749
Email: g.young@xxxxxxxx

> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Jim Harrison
> Sent: Friday, October 06, 2006 12:39 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: FW: Layer 3 and Firewall
> 
> http://www.ISAserver.org
> -------------------------------------------------------
> 
> While I agree with Tom that VLANs are a management; not a security 
> mechanism, the idea that "the administrator is a threat" is just plain 
> stupid.  If you're trying to mitigate threats created by your domain, 
> network or application administrators, you've already lost the war - 
> period.  If you can't trust your network admin to not #$%^ up your
VLAN
> structure with malicious intent, you need to review your interview 
> processes.
> 
> Can you use VLANs to logically segment your network within the same 
> physical devices?  Absolutely.
> Can you use this management mechanism to improve your network
security?
> AbsoFreakinLutely Not; again - all you are doing with VLANS is both 
> complicating and simplifying your network structure in the same
effort.
> 
> Did I do this within my own ISA test lab?  Ask Tom - I had 11 separate 
> networks all operating through a single ISA that only had two physical 
> interfaces.  ..but this deployment was only to logically isolate one 
> test bench or rack from the rest and minimize malware effects.  If I 
> couldn't trust my network admin (me) to maintain segment separation, 
> what the #$%$% is doing in this position?!?
> 
> Quit trying to mitigate bad decisions with techniques; technology
can't
> help you here.
> 
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Thomas W Shinder
> Sent: Thursday, October 05, 2006 6:38 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] FW: Layer 3 and Firewall
> 
> http://www.ISAserver.org
> -------------------------------------------------------
> 
> Nice description on why you don't want to use VLAN segmentation as a 
> security measure.
> 
> 
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> MVP -- Microsoft Firewalls (ISA)
> 
> 
> -----Original Message-----
> From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx]
> On Behalf Of dubaisans dubai
> Sent: Thursday, October 05, 2006 1:32 AM
> To: pen-test@xxxxxxxxxxxxxxxxx
> Subject: Layer 3 and Firewall
> 
> Is it a BAD idea to have multiple logical segments of a Firewall 
> connected to the same physical switch?
> 
> One of our customers has a Cisco 6509. All VLANs are Layer 2. The
server
> segment multiple User LANs are all terminated here on the same 6509.
The
> default gateway for these Layer 2 VLAN is on the Checkpoint Firewall.
So
> al access from UserLAN to server segment is through the Firewall 
> rulebase.
> 
> The threat I see is if the network switch administrator wants to
bypass
> Firewall, he can just disconnect the Firewall links and make the VLANs 
> Layer 3 and there is no security. After malicious activites he can
very
> well connect the Firewall and revert back to Layer 2.
> 
> Is that a valid threat ? Is it High risk ? What controls are possible
?
> Are multiple physical switches required.?
> 
>
------------------------------------------------------------------------
> This List Sponsored by: Cenzic
> 
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
>
http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016
> 00000008bOW
>
------------------------------------------------------------------------
> 
> 
> 
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 
> All mail to and from this domain is GFI-scanned.
> 
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx 


All mail to and from this domain is GFI-scanned.

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx

• Follow-Ups:
  • [isalist] Re: FW: Layer 3 and Firewall
    • From: Thor (Hammer of God)

• References:
  • [isalist] Re: FW: Layer 3 and Firewall
    • From: Gerald G. Young

Other related posts:

• » [isalist] FW: Layer 3 and Firewall
• » [isalist] Re: FW: Layer 3 and Firewall
• » [isalist] Re: FW: Layer 3 and Firewall
• » [isalist] Re: FW: Layer 3 and Firewall
• » [isalist] Re: FW: Layer 3 and Firewall
• » [isalist] Re: FW: Layer 3 and Firewall
• » [isalist] Re: FW: Layer 3 and Firewall
• » [isalist] Re: FW: Layer 3 and Firewall
• » [isalist] Re: FW: Layer 3 and Firewall

1. Home
2. isalist
3. Archive
4. 10-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---