From: John Kinsella (jlk@thrashyour.com)
Date: Fri Aug 11 2006 - 11:13:18 EDT
On Fri, Aug 11, 2006 at 10:08:09PM +0200, cableguy clueless wrote:
> 2 cisco 6509 each with firewall blade in them. These function as core
> switches for a 1000 users site with lots of vlans and FW roules
> between the vlans (oh and we are a big production site that relies on
> these cores to let our ciritical bussiness process machines
> communicate to the servers).
>
> He wants to create 2 vlans, 1 for untrusted traffic and 1 vlan for DMZ
> machines and assign physical ports to these to connect to the
> internet. The DMZ vlan would also have some physical ports. These
> ports would not be on the core switch but on the access layer switches
> that are fiber attached to the distribution switches that attach to
> the cores...
I actually architected something vaguely similar for a large retailer
last year, although there were about 50 vlans total and several other
layers of security as well (edge filtering egres/ingres, separate vendor
and employee vpns, etc). So with that background, I'll comment a bit:
Looking just at the vlan part, there is in theory the ability to
"jump" vlans (well covered topic on securityfocus lists). I would
probably consider spitting the DMZs off before they hit the cats,
either routed to a different port on the edge devices, or a firewall
(different brand might be of interest, depeding on paranoia) sitting
in front of the cats. Depends on value of the rest of the network and
it's contents. Tradeoff here is more hardware to purchase, architect,
manage, and more potential points of failure.
Looking at it from a DOS point of view, if there is significant traffic
levels flowing through the switches, the designer must be aware of
design details such as how many ports per ASIC and backplane bandwidth
for the supervisor card being used. Otherwise packets can be dropped
under heavy enough loads (I've seen that at a different site, it was
ugly and cost millions in revenue - not my design :) ).
Hopefully the cores have been hardened, telnet turned off, real passwords
set, good versions of IOS, etc. I'd say the easiest attacks against those
devices would be if the operational aspects haven't been well executed.
John
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:41 EDT