If I understand what you're describing, it sounds like you've pretty well
by-passed the firewall. As a general comment, it seems pointless to have a
firewall if you're not going to utilize it with sound network security
design.
I think I understand what you're trying to do, but you may want to rethink
the reasoning.
You're VLANs ( on the same devices ) are a very thin security veil between
the trusted and untrusted networks. Without a net diagram, we can only
speculate. But, I'm guessing that the most secure you can be with this
physical config is to pin strong ACLs to the outside interfaces of the 3640
access routers. You could also pin ACLs to the VLAN interfaces to filter
unwanted traffic. What kind of capability do these switches have? Have you
considered the IOS firewall ( CBAC ) for the edge routers?
I think a tech support call to your firewall vendor may be an eye-opening
experience. Send them a diagram of what you've got and see if it's a
network design scenario that they support. I assume the 2 3640s are being
used redundantly with HSRP? If so, why not consider a second, redundant
firewall and place them both in-line between the edge routers and the
internal LANs?
HTH, Bob McIntire
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Craig Columbus
Sent: Tuesday, June 04, 2002 9:42 AM
To: [EMAIL PROTECTED]
Subject: Re: Security hazard?? [7:45731]
Do I understand you correctly that your 6808s have both internal (secure)
and external (unsecure) traffic on them, separated only by VLAN?
At 09:30 PM 6/3/2002 -0400, you wrote:
>All,
>
>We have two 3640's and two Extreme Black Diamond 6808's (aka 6509's).
>The two 3640's are doing IBGP between them on each of their eth0's. I
>have created a vlan on the Extremes called 'unsecure'(there are only 2
>ports on each Extreme in this vlan... one coming in from the 3640 and
>the other going into the firewall). I am getting some complaints from
>the 'uppers' that bringing the 3640's into the Extreme's is a security
>hazard.
>
>I am sure someone is now working on a way to hack from one vlan to the
>next, but for now, I don't see the difference between putting a hub in
>there and using a couple of ports on these monster
>'almost-never-go-down' switches. I just don't want another unmanaged
>piece of equipment in the flow.
>
>Has anyone ever heard of this being a leak. I worked in a datacenter
>before and this is what we did with 6509's and we didn't blink! I know
>these are Extreme switches... which is probably taboo in the group, but
>I am pretty sure this would be platform independent... right????
>
>Thanks,
>
>bk
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45756&t=45731
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
