A few things of varying quality (or lack thereof) come to my mind:
1) If you feel that you need that much security, then using a single swich
for this is probably a bad idea. It's a general belief in the security
community that VLAN's provide you a lot less security then the switch
manufacturers would like you to believe. It actually doesn't take that
much work to get packets to jump between VLAN's in most cases. Search the
Bugtraq archives for VLAN or 802.1Q and you'll find someone who was able
to use the protocol to jump VLAN's on a Cisco switch. I followed this
issue closely for quite some time; the last I heard, Cisco blamed the
802.1Q spec itself rather than a bug in their implimentation of it.
2) Last I checked, Checkpoint didn't actually support multiple IP's per
interfaces. It does work in most cases, but it can cause problems.
You'd probably be the only person in the world to run 200 IP's on the same
interface using Firewall-1. If you used a single class C for all the
systems, then you'd open yourself to gratuitous ARP attacks.
3) Consider the Checkpoint SecuServer software. With that you can enforce
a security policy from the firewall management software onto the
workstations. Not exactly cheap for 200 copies, but it would work. You
might be able to work out some volume discount. Depending on the amount
of traffic you'd be using, you might be able to do SecurClient but you'd
be really limited to the total bandwidth due to the encryption.
4) Consider a cluster of firewalls with a Gigabit backbone running between
them and loading them all up with quad cards. I'm sure more expensive
than option #3, but should be cheaper than an E10K and it would let you do
your original idea of individual VLAN's.
5) Do host-based security on each workstation so you don't have to
protect them from each other, or possibly group them in groups of 5. That
way you can limit your exposure only 4 other systems should one
workstation go bad.
--
Aaron Turner [EMAIL PROTECTED] 650.237.0300 x252
Security Engineer Vicinity Corp.
Cell: 408-314-9874 http://www.vicinity.com
On Thu, 13 Jul 2000, stcost - Steve Costaras wrote:
> Thanks for the responses that SUN doesn't support 802.1Q on it's newer
> hardware. That saves some time, but doesn't make my job much easier.
>
> The point of having the FW support VLANs is to increase security. We
> have/will have several hundred clients each client will have it's own
> segment, and everyone needs to be secured from each other. It would
> be much easier get a 5500 or a 6500 series switch and configure VLANs
> on that switch and have the FW do all the routing between VLANs in a
> secure fashion. Without that we will have to purchase the RSM module
> for the switch and do the routing on the switch itself outside of
> the firewall's control.
>
> Even a 450 loaded with cards (only 10 slots) even with Quads will
> only handle 41 VLANS. We are talking about hooking up to nearly
> 200. A $70-80000 switch is MUCH less expensive than a SUN 6500 or
> E10000, and a LOT easier to maintain when you are in a High availability
> environment.
>
> Steve
>
> -----Original Message-----
> From: Aaron Turner [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, July 13, 2000 12:03
> To: Dominik Weis
> Cc: stcost - Steve Costaras; [EMAIL PROTECTED]
> Subject: RE: [FW1] FW1 / Solaris w/ 802.1Q (VLAN) Support?
>
>
>
> What you're asking makes no sense. Why does Solaris need to know about
> VLAN's? Just plug an interface of the firewall into each VLAN you want
> the firewall to route/firewall between. If you want a lot of gigabit
> interfaces, you'll prolly need something like a Sun E450, but that's not
> unheard of. People do this sort of thing all the time.
>
>
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
