VLANing is a good idea not only does t provide a additional level of security by separating the networks into logical segments, using ACL's to dictate access control, but it also reduces the broadcast domain increasing performance. VLAN Jumping like most attacks is only possible is the implenter of the solution does not know the associated risks and the countermeasures to prevent them, which leads to an initial secure configuration. VLAN Jumping, misuses the ability of of cisco to detect new switches added and tghe trunking protocol. Disable this feature so that trunks must be defined manual.
________________________________ From: Mailing list for discussion of Firewall-1 on behalf of David CALLEBAUT [AEMS Be] Sent: Fri 10/02/2006 07:27 To: [email protected] Subject: [FW-1] Common knowledge question Hi Gurus, Perhaps a bit off-topic: Can anybody advice me if using VLAN tagging on Nokia/Checkpoint is a *secure* thing to do? I'm not convinced but my Cisco colleagues are convinced that using VLAN's on Cisco is evenly secure as physically splitting up in seperate switches. I found some (very old) articles describing VLAN hopping & spanning-tree attacks (dated 2003). Could someone point me to (recent) articles/papers that describe the issues with VLAN's? Thanks in advance, David Callebaut www.aemarketsolutions.com -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of David CALLEBAUT [AEMS Be] Sent: vrijdag 10 februari 2006 7:48 To: [email protected] Subject: Re: [FW-1] Need help with configuring OSPF on the Nokia to work w ith Cisco device HI Janis/Cisc4ng, To be precise you can force Nokia NOT to be DR or BDR by setting the "election priority" to 0 in the OSPF configuration page of voyager. 0 means: never be elected in this case. David Callebaut -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of cisco4ng Sent: donderdag 9 februari 2006 22:21 To: [email protected] Subject: Re: [FW-1] Need help with configuring OSPF on the Nokia to work with Cisco device Hi Janis, I could be wrong but I don't think you can control the Nokia NOT to be either a DR or BDR. You can, however, do that with cisco router via "ip ospf priority 0" on the interface. You said that that you didn't have problems with failover. Well, that's is because you did NOT reboot the Active Firewall. Had you reboot the Active firewall, after the primary firewall comes back online, your routes would disappear because the Cisco routers get confused. I currently have a Nokia TAC case opened just for this. We can talk more about it if you like. The other thing is that the cisco devices should see ONLY the NOKIA neighbor via it VRRP IP address. In other words, when you do "show ip ospf neighbor" on the cisco router, it should be neighbor ONLY with VRRP IP address, NOTHING ELSE. NO physcial IP adres whatsoever. In IPSO 3.9 or higher, in ospf you have to enable ospf for VRRP. Anyway, Nokia acknowledged that it is a problem and they are trying to fix this in later release of IPSO. If I am not making any senses, you can contact me offline and we can talk more about this. But it seems to me, and I could wrong, that you still have problems with OSPF, you just do not it yet. regards, cisco4ng Janis Myers <[EMAIL PROTECTED]> wrote: Hi cisco4ng, As mentioned long time before - here comes our feedback: We did the installation today with two Nokia IP330 with IPSO 3.9 Build 045 using OSPF and VRRP/Monitored Circuits and four Cisco routers (2 on each firewall side, one router of each side is DR, the Nokia's don't become DR or BDR). OSPF works well (OSPF routing table can be seen on both firewalls). We are able to see the ip address of the physical firewall interface from the active firewall node (vrrp master) in the routing tables of the routers. Switching from one Nokia to the other takes less than 2 seconds. After this time new connections are working fine. Existing connections are broken during the switch but in the specific customer environment that's acceptable. Best Regards, Janis __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= --------------------------------- Brings words and photos together (easily) with PhotoMail - it's free and works with Yahoo! Mail. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
