From: dubaisans dubai (dubaisans@gmail.com)
Date: Thu Oct 05 2006 - 02:32:03 EDT
Is it a BAD idea to have multiple logical segments of a Firewall
connected to the same physical switch?
One of our customers has a Cisco 6509. All VLANs are Layer 2. The
server segment multiple User LANs are all terminated here on the same
6509. The default gateway for these Layer 2 VLAN is on the Checkpoint
Firewall. So al access from UserLAN to server segment is through the
Firewall rulebase.
The threat I see is if the network switch administrator wants to
bypass Firewall, he can just disconnect the Firewall links and make
the VLANs Layer 3 and there is no security. After malicious activites
he can very well connect the Firewall and revert back to Layer 2.
Is that a valid threat ? Is it High risk ? What controls are possible
? Are multiple physical switches required.?
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:06 EDT