I will assume that I was not clear enough.
We are planning on deploying two Cat 4550's into the core with 2 + 2 NCPFW1
as the egress and ingress to the big I.
-------- -------- ----------
| cat | ===== | ncpfw1| ------ | ncpfw1 |
-------- --------\ / ---------
\ \ / | \ / |
\/\
/ \ \ | /\ |
-------- \ \ -------- / \ ---------
| cat | _____ | ncpfw1| ------ |ncpfw1|
-------- -------- ---------
=== is VRRP 1
___ is VRRP 2
We are planning to use dual-homed connections between the boxes and dual
instances of VRRP.
1) What, if any, issues were present with presenting the cats single VRRP
Mac Addies with two physical interfaces?
2) We may be considering routing as well - What issues with VRRP and routing
to the Cats with dual homing have you seen?
Feel free to call me as well.
Chris 'Doc' Watson, CCNP
Armstrong World Industries
717-396-4005
""dre"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> ""Chris Watson"" wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > I am planning on doing a dual Checkpoint to dual Cat install. The Nokia
FW
> > will be running two instances of VRRP each with dual home to the Cats.
> >
> > 2) What issues/problems/concerns should I keep an eye out for?
>
> You might want to re-consider your infrastructure. There are
> many attacks that will allow easy subversion of your firewalls.
> See these papers for some Catalyst configuration advice that
> prevents some of these attacks:
> http://www.sans.org/newlook/resources/IDFAQ/vlan.htm
> http://www.securite.org/presentations/secip/
>
http://www.blackhat.com/presentations/bh-usa-02/bh-us-02-convery-switches.pd
> f
>
> It's nice to note that even if you do "set trunk off" on all ports (or
> "switchport mode access" under switch IOS), any would-be
> attacker can just send a doubly encapsulated frame with tagged
> Ethernet (although you can prevent this from travelling between
> switches by using different native vlans on the trunks on each
> switch pair). Now you still need to worry about the vrrp based
> attacks, vtp attacks, forced switch flooding, arp spoofing, etc etc.
>
> You're better off securing your hosts than using firewalls. If a
> sinlge host gets owned, you blow up your whole trust domain, and
> allow for about a billion different types of covert channels. You
> can and should configure ways around these covert channels if
> you want a more secure network. However, the real problem
> is that the firewall should be considered a separate model of
> trust (terminology taken from RFC 2196), and should not rely
> on the same underlying models of trust (two switches that create
> the same network, and have access to those networks) for its
> security. Consider using four switches, and have the inside
> vrrp on one pair, and the outside vrrp on the other pair.
>
> It is my suggestion that you read the following sources of
> information before architecting or designing network security
> infrastructures:
>
>
http://www.auscert.org.au/Information/Auscert_info/Papers/Security_Domains.h
> tml
> http://www.ietf.org/rfc/rfc1135.txt
> http://www.ietf.org/rfc/rfc2196.txt
>
http://www.ietf.org/internet-drafts/draft-dattathrani-tcp-ip-security-00.txt
> http://www.watersprings.org/pub/id/draft-ietf-ipsec-secconf-00.txt
> (apply the same concepts for configuring IPsec devices to any
> secure host, network device, firewall, etc)
> http://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-030.html
>
> -dre
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=59071&t=58934
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
