Dear All:
I have been getting a number of off-list replies to my query and have been
responding to them likewise. I therefore thought that I should post a
summary of information discussed to the list.
Kyle Haugsness provided references of a number of switch vulnerabilities.
Richard Taylor gave this published reference:
Building Internet Firewalls, 2nd Edition, Elizabeth D. Zwicky, Simon
Cooper, & D. Brent Chapman, O'Reilly & Associates, Page 101
"You should not rely on VLANs to provide strong, secure separation between
networks"
"they provide a small measure of increased security over a plain switched"
Michael Hamelin also provided references to switch vulnerabilities. He
also wrote, "I have serious reservations about trusting a VLAN outside the
Firewall."
In replying to these individuals, I stated my views:
"In most of the diagrams that I have seen, the physical connectivity is
usually stylized and never actually show details down to the actual
switches, hubs, or cables (10base-T, baseband, broadband, etc.) that
compose the logical LAN segments. In addition, the switch vendors (e.g.;
Cisco, 3Com, ...) will all tell you that it is "safe" to use a single
intelligent switch configured with logically isolated VLANs to build such
an architecture. Since I started in information security at a defense
contractor, I tend to adhere to the belief that individual physical
segments is the best way to ensure that the two security domains will
remain safely isolated in the event of an equipment failure in the device
providing the interconnection."
"My concern ... stems from the rare situation when the switch fails in such
a way as to loose its configuration. Almost every network device (e.g.;
switch, router, ...) that I have seen will default to all ports open (i.e.;
a bridged configuration) in such situations. Only purpose built firewalls
are normally designed to forbid all traffic if they were to fail the same way."
In summation, at this time it appears that the consensus is: Connecting
both the external and internal ports of a firewall to a single switch is an
architectural approach that does not represent "best practice."
I can only hope that:
(1) The switch vendors work to rectify the vulnerability to the
satisfaction of an independent, third party review acceptable to the industry.
(2) That the authors of firewall books, such as those by Cheswick &
Bellovin, Goncalves & Brown, and Zwicky, Cooper, & Chapman, add a
discussion on this matter the next time their books are revised. (If any
of these authors are monitoring this list, I'd love to hear your comments
about this.)
Respectfully;
Marc Mandel
[EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
