>It is a semi-Firewall related question.
This question isn't semi-firewall related, it's *entirely* firewall related.
Firewall admins can't sit in their box and ignore the surrounding network
infrastructure. When you consider total security, you have to consider every
point in the communications chain. This includes the architecture of the
perimeter (or in your case, extranet) network.
>A firewall for the Extranet allows, say 10 vendors, contractors, to connect
>to it. There are two options that we can think of:
>
>Option 1:
>Have 10 NICs in the firewall. This option is clumsy, but it is secure in
>the sense that competitive suppliers cannot sniff each other's data.
>
This is entirely possible. Your competitive suppliers would have to first
compromise your firewall before mounting attcks on each other.
>Option 2:
>A smarter approach, one says. Have an intelligent switch connecting to a
>NIC in the firewall. Each port of the switch is isolated, a VLAN approach.
>Competitive suppliers cannot "peer" into each other's data.
>
>Being a non-router/switch guy. How can I configure and secure the switch?
>I have also heard a router guru mentioned that, in order to provide
>security, we should not use intelligent switch as someone connect to the
>console of a switch, he/she can sniff the packets.
You could purchase a switch with IP routing functionality (e.g. Cisco Catalyst
with RSM module, other vendors have comparable offerings I'm sure). Create one
network (VLAN) for each of your suppliers, using unique and separate network
numbers. Route each VLAN to your firewall's external interface. Configure access
lists on the switch/router such that one VLAN cannot talk to another; the only
permissible communications should be between each VLAN and the firewall's
exterior interface.
When you say "intelligent switch" I assume you mean a switch with some
IP-addressed supervisor functionality. Those functions can usually be disabled
or access-control restricted. It's a risk, but an extremely minor one at best.
One important question you should ask: to what extent are *you* responsible for
your suppliers' security? Is there a contractual agreement, or are you just
trying to be a nice guy? At any rate, your suppliers' should be taking their own
security measures at their end, with their own firewalls and routers and access
lists. If your supplier doesn't even take their own security seriously, what
leads you to believe that they care about yours?
Regards,
Christopher Zarcone
Network Security Consultant
RPM Consulting, Inc.
#include <std.disclaimer.h>
My opinions are completely my own and based on no useful knowledge whatsoever,
and in fact should not be considered by anyone.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
