|

»

Firewall Discussions

»

Firewall (securityfocus.com)

Layer 3 and Firewall

View: New views

5 Messages — Rating Filter: Alert me

	Layer 3 and Firewall by dubaisans dubai :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi, Is it a REALLY BAD idea to have multiple Firewall segments connected on the same 6509? I have a 6509 Layer 3 switch which connects the LAN , WAN and Server segment. This has three Layer 3 VLANs I plan to implement a Firewall [ either PIX or checkpoint] which will segregate these 3 segments. On the Cisco 6509 I will convert the existing Layer 3 VLANs into Layer 2 and assign those IP[which is the default gateway for the respective segments] to the 3 interfaces of the Firewall. Firewall is managed by me[Infosec dept] while the switch is managed by Networking dept. My worry is - After i implement Firewall , if the network admin pulls out the Firewall cables and brings back the Layer 3 VLANs with those IPs then there is no Firewall. How can we tackle this risk ? What is the technical workaround. Is it a REALLY BAD idea to have multiple Firewall segments connected on the same 6509?
	R: Layer 3 and Firewall by Massimo Baschieri :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message >How can we tackle this risk ? >What is the technical workaround. Is it a REALLY BAD idea to have >multiple Firewall segments connected on the same 6509? Well, the problem is not the 6509 itself, if someone not trusted has access to the telco room and to the management of the switches (in particular L3 switches) he can have a lot of fun anyway. Relegating segments on separate devices is of no purpose if the untrusted man can play with a L3 device and pull the right cables on. However creating vlans potentially exposes the network to threats like vlan hopping, but why bother with these games if you can access the device itself and change the config? Wan access is less of a concern to me, for that you need to perform nat and, if I recall correctly, 6509 doesn't do nat by itself. Bye, Max.
	Re: Layer 3 and Firewall by jorgen.sorqvist :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message If you don't trust the network department - it's a bad idea. The FW and the switch should be managed by the same department. /Jörgen
	Re: Layer 3 and Firewall by Chris Hayden :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message dubaisans dubai wrote: > Hi, > > Is it a REALLY BAD idea to have multiple Firewall segments connected > on the same 6509? > > I have a 6509 Layer 3 switch which connects the LAN , WAN and Server > segment. This has three Layer 3 VLANs > > I plan to implement a Firewall [ either PIX or checkpoint] which will > segregate these 3 segments. > > On the Cisco 6509 I will convert the existing Layer 3 VLANs into Layer > 2 and assign those IP[which is the default gateway for the respective > segments] to the 3 interfaces of the Firewall. > > Firewall is managed by me[Infosec dept] while the switch is managed by > Networking dept. > > My worry is - After i implement Firewall , if the network admin pulls > out the Firewall cables and brings back the Layer 3 VLANs with those > IPs then there is no Firewall. > > How can we tackle this risk ? > > What is the technical workaround. Is it a REALLY BAD idea to have > multiple Firewall segments connected on the same 6509? > VLANs aren't the most secure way to separate segments because of VLAN hopping attacks. On the Cisco you could make it a little more secure by implementing port-security but this can be a pain to manage if you have a lot of devices connected. Have you considered installing the firewall services module in the the 6500? This basically gives you virtual pix firewalls instead of using standard access-lists to control access between the VLANs.
	Re: Layer 3 and Firewall by econtreras :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi, do you have the possibilities to configure something like ping alive in some or all firewall’s interface , and in case somebody disconnect some interface of the firewall send you an alert or something like that, at least you will know is some cable of your box was unplugged or take out.. or put a redundance box, but in this case you will need two Fws and more ports on the switch to connected, in this case if somebody disconnect some firewall‘s interface all the traffic become to the other box and send you an alarm too… ----- Mensaje original ----- De: dubaisans dubai <dubaisans@...> Fecha: Miércoles, Octubre 4, 2006 12:14 pm Asunto: Layer 3 and Firewall > Hi, > > Is it a REALLY BAD idea to have multiple Firewall segments connected > on the same 6509? > > I have a 6509 Layer 3 switch which connects the LAN , WAN and Server > segment. This has three Layer 3 VLANs > > I plan to implement a Firewall [ either PIX or checkpoint] which will > segregate these 3 segments. > > On the Cisco 6509 I will convert the existing Layer 3 VLANs into Layer > 2 and assign those IP[which is the default gateway for the respective > segments] to the 3 interfaces of the Firewall. > > Firewall is managed by me[Infosec dept] while the switch is > managed by > Networking dept. > > My worry is - After i implement Firewall , if the network admin pulls > out the Firewall cables and brings back the Layer 3 VLANs with those > IPs then there is no Firewall. > > How can we tackle this risk ? > > What is the technical workaround. Is it a REALLY BAD idea to have > multiple Firewall segments connected on the same 6509? >