""Chris Watson"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I am planning on doing a dual Checkpoint to dual Cat install. The Nokia FW > will be running two instances of VRRP each with dual home to the Cats. > > 2) What issues/problems/concerns should I keep an eye out for?
You might want to re-consider your infrastructure. There are many attacks that will allow easy subversion of your firewalls. See these papers for some Catalyst configuration advice that prevents some of these attacks: http://www.sans.org/newlook/resources/IDFAQ/vlan.htm http://www.securite.org/presentations/secip/ http://www.blackhat.com/presentations/bh-usa-02/bh-us-02-convery-switches.pd f It's nice to note that even if you do "set trunk off" on all ports (or "switchport mode access" under switch IOS), any would-be attacker can just send a doubly encapsulated frame with tagged Ethernet (although you can prevent this from travelling between switches by using different native vlans on the trunks on each switch pair). Now you still need to worry about the vrrp based attacks, vtp attacks, forced switch flooding, arp spoofing, etc etc. You're better off securing your hosts than using firewalls. If a sinlge host gets owned, you blow up your whole trust domain, and allow for about a billion different types of covert channels. You can and should configure ways around these covert channels if you want a more secure network. However, the real problem is that the firewall should be considered a separate model of trust (terminology taken from RFC 2196), and should not rely on the same underlying models of trust (two switches that create the same network, and have access to those networks) for its security. Consider using four switches, and have the inside vrrp on one pair, and the outside vrrp on the other pair. It is my suggestion that you read the following sources of information before architecting or designing network security infrastructures: http://www.auscert.org.au/Information/Auscert_info/Papers/Security_Domains.h tml http://www.ietf.org/rfc/rfc1135.txt http://www.ietf.org/rfc/rfc2196.txt http://www.ietf.org/internet-drafts/draft-dattathrani-tcp-ip-security-00.txt http://www.watersprings.org/pub/id/draft-ietf-ipsec-secconf-00.txt (apply the same concepts for configuring IPsec devices to any secure host, network device, firewall, etc) http://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-030.html -dre Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58944&t=58934 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
