[isalist] Re: FW: Layer 3 and Firewall
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Fri, 6 Oct 2006 14:11:59 -0700
http://www.ISAserver.org
-------------------------------------------------------
I completely agree (re: my 11-net lab ISA), but I make my chosen points to
disabuse anyone of the idea that 802.1Q *in and of itself* is any form of a
security mechanism.
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Thor (Hammer of God)
Sent: Friday, October 06, 2006 09:21
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: FW: Layer 3 and Firewall
http://www.ISAserver.org
-------------------------------------------------------
My buck .05 --- I've been working with a client in an extremely secure
environment where I implemented an ISA solution behind a Checkpoint / Nokia box
where they utilized VLAN's to not only separate out the DMZ into virtual
segments, but where we applied very strict firewall rules to each individual
interface. It was really something... Granted, it was a 250k box (nice to have
clients who can drop a quarter million on a switch, eh?) but I could not be
happier with the security-in-depth mechanism it provided.
So while the "logical" solution is obviously not the same as a "physical"
solution, the "proper" combination of them can result in an extremely robust
security infrastructure. In fact, I would have to say, in the absence of any
other mechanism, a VLAN implementation would have to be considered far more
secure than not having anything at all.
t
On 10/6/06 8:44 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all:
> http://www.ISAserver.org
> -------------------------------------------------------
>
> Go check out the IEEE papers on 802.1Q and decide for yourself.
> At no time is this mechanism discussed as a network security
> mechanism, although security ramifications and limitations are touched on.
>
> As Tom points out, this is a logical; not a physical separation mechanism.
> If you take "logical isolation" as a security mechanism, then you must
> also believe that your employee agreements protect your company from
> the "wild admin" factor.
>
> I see large, flightless birds in this discussion...
>
> -------------------------------------------------------
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
> -------------------------------------------------------
>
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Gerald G. Young
> Sent: Friday, October 06, 2006 07:23
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: FW: Layer 3 and Firewall
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> VLANs not a security mechanism? I suppose it depends on your
> definition of "security mechanism". Isolation of virtual broadcast
> domains seems like something that has security applications to me.
>
> In any case, yes, I agree about "the administrator is a threat" being
> a bit overboard given the very purpose they serve. :)
>
> For what it's worth though, here is a link to a VLAN Security White
> Paper published by Cisco for the 6500 series of switches. It contains
> VLAN Security Best Practices.
>
> http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_p
> ap
> er09186a008013159f.shtml
>
> Cordially yours,
> Jerry G. Young II
> Applications Engineer, Platform Engineering Enterprise Hosting NTT
> America, an NTT Communications Company
>
> 22451 Shaw Rd.
> Sterling, VA 20166
>
> Office: 571-434-1319
> Fax: 703-333-6749
> Email: g.young@xxxxxxxx
>
>> -----Original Message-----
>> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
>> On Behalf Of Jim Harrison
>> Sent: Friday, October 06, 2006 12:39 AM
>> To: isalist@xxxxxxxxxxxxx
>> Subject: [isalist] Re: FW: Layer 3 and Firewall
>>
>> http://www.ISAserver.org
>> -------------------------------------------------------
>>
>> While I agree with Tom that VLANs are a management; not a security
>> mechanism, the idea that "the administrator is a threat" is just
>> plain stupid. If you're trying to mitigate threats created by your
>> domain, network or application administrators, you've already lost
>> the war - period. If you can't trust your network admin to not #$%^
>> up your
> VLAN
>> structure with malicious intent, you need to review your interview
>> processes.
>>
>> Can you use VLANs to logically segment your network within the same
>> physical devices? Absolutely.
>> Can you use this management mechanism to improve your network
> security?
>> AbsoFreakinLutely Not; again - all you are doing with VLANS is both
>> complicating and simplifying your network structure in the same
> effort.
>>
>> Did I do this within my own ISA test lab? Ask Tom - I had 11
>> separate networks all operating through a single ISA that only had
>> two physical interfaces. ..but this deployment was only to logically
>> isolate one test bench or rack from the rest and minimize malware
>> effects. If I couldn't trust my network admin (me) to maintain
>> segment separation, what the #$%$% is doing in this position?!?
>>
>> Quit trying to mitigate bad decisions with techniques; technology
> can't
>> help you here.
>>
>> -----Original Message-----
>> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
>> On Behalf Of Thomas W Shinder
>> Sent: Thursday, October 05, 2006 6:38 PM
>> To: isalist@xxxxxxxxxxxxx
>> Subject: [isalist] FW: Layer 3 and Firewall
>>
>> http://www.ISAserver.org
>> -------------------------------------------------------
>>
>> Nice description on why you don't want to use VLAN segmentation as a
>> security measure.
>>
>>
>> Thomas W Shinder, M.D.
>> Site: www.isaserver.org
>> Blog: http://blogs.isaserver.org/shinder/
>> Book: http://tinyurl.com/3xqb7
>> MVP -- Microsoft Firewalls (ISA)
>>
>>
>> -----Original Message-----
>> From: listbounce@xxxxxxxxxxxxxxxxx
> [mailto:listbounce@xxxxxxxxxxxxxxxxx]
>> On Behalf Of dubaisans dubai
>> Sent: Thursday, October 05, 2006 1:32 AM
>> To: pen-test@xxxxxxxxxxxxxxxxx
>> Subject: Layer 3 and Firewall
>>
>> Is it a BAD idea to have multiple logical segments of a Firewall
>> connected to the same physical switch?
>>
>> One of our customers has a Cisco 6509. All VLANs are Layer 2. The
> server
>> segment multiple User LANs are all terminated here on the same 6509.
> The
>> default gateway for these Layer 2 VLAN is on the Checkpoint Firewall.
> So
>> al access from UserLAN to server segment is through the Firewall
>> rulebase.
>>
>> The threat I see is if the network switch administrator wants to
> bypass
>> Firewall, he can just disconnect the Firewall links and make the
>> VLANs Layer 3 and there is no security. After malicious activites he
>> can
> very
>> well connect the Firewall and revert back to Layer 2.
>>
>> Is that a valid threat ? Is it High risk ? What controls are possible
> ?
>> Are multiple physical switches required.?
>>
>>
> ----------------------------------------------------------------------
> --
>> This List Sponsored by: Cenzic
>>
>> Need to secure your web apps?
>> Cenzic Hailstorm finds vulnerabilities fast.
>> Click the link to buy it, try it or download Hailstorm for FREE.
>>
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=70
> 16
>> 00000008bOW
>>
> ----------------------------------------------------------------------
> --
>>
>>
>>
>> ------------------------------------------------------
>> List Archives: //www.freelists.org/archives/isalist/
>> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>> ISA Server Articles and Tutorials:
>> http://www.isaserver.org/articles_tutorials/
>> ISA Server Blogs: http://blogs.isaserver.org/
>> ------------------------------------------------------
>> Visit TechGenix.com for more information about our other sites:
>> http://www.techgenix.com
>> ------------------------------------------------------
>> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
>> Report abuse to listadmin@xxxxxxxxxxxxx
>>
>>
>> All mail to and from this domain is GFI-scanned.
>>
>> ------------------------------------------------------
>> List Archives: //www.freelists.org/archives/isalist/
>> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>> ISA Server Articles and Tutorials:
>> http://www.isaserver.org/articles_tutorials/
>> ISA Server Blogs: http://blogs.isaserver.org/
>> ------------------------------------------------------
>> Visit TechGenix.com for more information about our other sites:
>> http://www.techgenix.com
>> ------------------------------------------------------
>> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
>> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> All mail to and from this domain is GFI-scanned.
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
