Actually this is not true. I have done multiple Visio and other type of
network diagrams down to the port level and all the way up to the 30,000
foot level.. It takes a while to not only understand how to draw one, but
to make one seem decipherable by the massess.
/mark
At 01:59 PM 10/10/00 -0400, Marc E. Mandel wrote:
>Dear All:
>
>I have been getting a number of off-list replies to my query and have been
>responding to them likewise. I therefore thought that I should post a
>summary of information discussed to the list.
>
>Kyle Haugsness provided references of a number of switch vulnerabilities.
>
>Richard Taylor gave this published reference:
>Building Internet Firewalls, 2nd Edition, Elizabeth D. Zwicky, Simon
>Cooper, & D. Brent Chapman, O'Reilly & Associates, Page 101
>"You should not rely on VLANs to provide strong, secure separation between
>networks"
>"they provide a small measure of increased security over a plain switched"
>
>Michael Hamelin also provided references to switch vulnerabilities. He
>also wrote, "I have serious reservations about trusting a VLAN outside the
>Firewall."
>
>In replying to these individuals, I stated my views:
>"In most of the diagrams that I have seen, the physical connectivity is
>usually stylized and never actually show details down to the actual
>switches, hubs, or cables (10base-T, baseband, broadband, etc.) that
>compose the logical LAN segments. In addition, the switch vendors (e.g.;
>Cisco, 3Com, ...) will all tell you that it is "safe" to use a single
>intelligent switch configured with logically isolated VLANs to build such
>an architecture. Since I started in information security at a defense
>contractor, I tend to adhere to the belief that individual physical
>segments is the best way to ensure that the two security domains will
>remain safely isolated in the event of an equipment failure in the device
>providing the interconnection."
>"My concern ... stems from the rare situation when the switch fails in
>such a way as to loose its configuration. Almost every network device
>(e.g.; switch, router, ...) that I have seen will default to all ports
>open (i.e.; a bridged configuration) in such situations. Only purpose
>built firewalls are normally designed to forbid all traffic if they were
>to fail the same way."
>
>In summation, at this time it appears that the consensus is: Connecting
>both the external and internal ports of a firewall to a single switch is
>an architectural approach that does not represent "best practice."
>
>I can only hope that:
>(1) The switch vendors work to rectify the vulnerability to the
>satisfaction of an independent, third party review acceptable to the industry.
>(2) That the authors of firewall books, such as those by Cheswick &
>Bellovin, Goncalves & Brown, and Zwicky, Cooper, & Chapman, add a
>discussion on this matter the next time their books are revised. (If any
>of these authors are monitoring this list, I'd love to hear your comments
>about this.)
>
>Respectfully;
>
>Marc Mandel
>[EMAIL PROTECTED]
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
