I trunk my SPlat FW clusters today with a few Cisco switch stacks. Here are some additional considerations:
FWs are generally placed into your network topology in such a manner that the FW is the *only* physical path between two or more security zones. When you trunk with a switch, you could be bringing two or more distinct security zones together onto the same physical switch or router. VLANs are generally considered not to be good security constructs (I would argue this). The root of this conventional thinking springs from the ability - under very well-defined situations - for a client to manufacture frames that can hop to a different VLAN. According to tests conducted by SANS, however, the client would require access to an actual trunk port, or access to an access-mode port assigned to a VLAN that is also used as the native VLAN for a trunk port on the same switch (or switch stack). Both cases represent poor network design in general. Here are a few simple guidelines to trunk safely with your FWs: - Disable trunk negotiation on the switch, and hardcode to 802.1Q. - Designate an otherwise-unused VLAN for your native VLAN, and do not give your FW or switch an interface on this VLAN (ie. don't IP that sub-interface). - Don't use VLAN 1. At least for Cisco devices, there is critical inter-switch communication [eg. CDP and other multi-cast] that can only use VLAN 1). Why compete with or expose this traffic? Again, neither the switch nor your FWs need an interface on this VLAN. - Try to only group identical security zones on the same switch (eg. ISP VLANs can safely be located on the same switch [see the next guideline]). - If you can't dedicate separate hardware to every security zone, you could group similar security zones on the same switch. For example, I consider it fine to place public VLANs and the DMZ on the same switch. If someone were able to pass traffic between those VLANs, the attacker is still on my public perimeter. - If you have a choke design (where the inside legs of your public FWs connect to the outside legs of your extranet FWs), you should probably place that security zone on its own switch (not grouped with public VLANS, nor private, but perhaps business partner VLANs could live there, depending on your design and hardware availability). FWIW... daverow CCNA, MCSE, CCSA Manager, Networks and Security -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Loge VK Sent: Tuesday, July 26, 2005 1:17 PM To: [email protected] Subject: Re: [FW-1] multiple subnets U need to enable vlan tagging on the switch side, this will enable multiple interface subnets on the same port and on the firewall side it normally uses the concept of vconfig command in linux to create multiple virtual vlan interfaces..... On 7/26/05, J Jayavenkatesh <[EMAIL PROTECTED]> wrote: > All, thankx for the info.But when u have a VLAN capable switch, you > will physically be connecting a single interface from the firewall to > the switch. How could the firewall then interpret that interface as > two separate subnets? can you point to any page having info on how to > configure this? > > regards > > On 7/26/05, Loge VK <[EMAIL PROTECTED]> wrote: > > I am sure Nortel's ASF and NSF supports this using vlans....u need to > > have vlan capable switch to make it work...... > > > > - Loge > > > > On 7/25/05, Timothy Arnold <[EMAIL PROTECTED]> wrote: > > > you can use vlans to do this! All you would need is a vlan capable switch! > > > They would then appear as sep. interfaces inside checkpoint. > > > > > > Cheers > > > Tim > > > > > > > > > ----- Original Message ----- > > > From: "J Jayavenkatesh" <[EMAIL PROTECTED]> > > > To: <[email protected]> > > > Sent: Monday, July 25, 2005 10:05 AM > > > Subject: [FW-1] multiple subnets > > > > > > > > > > Hi, > > > > Does nokia box allow to configure multiple subnets on a single > > > > interface?for eg. configure two > > > > separate address space into the dmz interface like x.x.x.x/28 and > > > > y.y.y.y/28 > > > > > > > > Thanks in advance. > > > > > > > > ================================================= > > > > To set vacation, Out-Of-Office, or away messages, > > > > send an email to [EMAIL PROTECTED] > > > > in the BODY of the email add: > > > > set fw-1-mailinglist nomail > > > > ================================================= > > > > To unsubscribe from this mailing list, > > > > please see the instructions at > > > > http://www.checkpoint.com/services/mailing.html > > > > ================================================= > > > > If you have any questions on how to change your > > > > subscription options, email > > > > [EMAIL PROTECTED] > > > > ================================================= > > > > > > > > > > ================================================= > > > To set vacation, Out-Of-Office, or away messages, > > > send an email to [EMAIL PROTECTED] > > > in the BODY of the email add: > > > set fw-1-mailinglist nomail > > > ================================================= > > > To unsubscribe from this mailing list, > > > please see the instructions at > > > http://www.checkpoint.com/services/mailing.html > > > ================================================= > > > If you have any questions on how to change your > > > subscription options, email > > > [EMAIL PROTECTED] > > > ================================================= > > > > > > > ================================================= > > To set vacation, Out-Of-Office, or away messages, > > send an email to [EMAIL PROTECTED] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your > > subscription options, email > > [EMAIL PROTECTED] > > ================================================= > > > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
