Security Problem??

N3tWrkNutN3tWrkNut Member Posts: 30 ■■□□□□□□□□
in Off-Topic
I just started working for a company. I am one of their networking staff. I was looking at how the connectivity to the outside world was setup. There is a switch (A) that gets connectivity from the ISP. From there it goes into another switch (B), still not sure why 2 switches, but from there there is cables going into our firewall. To me that makes sense. One to the primary and one to the failover. Sounds great. But on switch b there are cables that go to the core, the main switch, the backbone of the network. Which has access to the management vlan. Mind you all the vlans on the network have no acls. I was told it was fine and secure because switch b has vlans on it. But they have no acl's. Am I crazy?
icon_rolleyes.gif
· Share on FacebookShare on Twitter

Comments

  • Fugazi1000Fugazi1000 Member Posts: 145
    ACLs are applied at Layer3. VLANs are Layer2. I would not have an issue with OOB management ports being connected to the internal LAN (with some zoning to restrict traffic) as long as the switches have up to date firmware and the ports/VLAN associations are properly understood.

    I would question why a single switch to a HA firewall pair. I would look to eliminate single points of failure and this is includes what I suspect is the ISP managed 'edge switch'. If there is justification for a HA firewall, then the same applies for ISP circuit and switch(es).
    · Share on FacebookShare on Twitter
  • N3tWrkNutN3tWrkNut Member Posts: 30 ■■□□□□□□□□
    You can apply access lists at layer 2. That I do know.
    · Share on FacebookShare on Twitter
  • Fugazi1000Fugazi1000 Member Posts: 145
    N3tWrkNut wrote: »
    You can apply access lists at layer 2. That I do know.

    If you mean VACLs then yes you can. And there may be some merit in restricting the relevant MAC addresses although it adds management overhead. It doesn't really help what I think your perceived risk is, in 'jumping' VLANs because of a bug/security vulnerability in the switch. If you trust VLANs then having a management connection is fine. If you don't, use a terminal server for console access to your dirty/DMZ switches.
    · Share on FacebookShare on Twitter
  • N3tWrkNutN3tWrkNut Member Posts: 30 ■■□□□□□□□□
    Okay. It is a layer 3 switch. Uses ip's. Should maybe have mentioned that but assumed since I said Core that would be understood. My bad. Without any ACL the vlan's are wide open to each other.
    · Share on FacebookShare on Twitter
  • Fugazi1000Fugazi1000 Member Posts: 145
    Perhaps I don't understand your environment.

    Just because you can route in the core switch, doesn't mean the devices on the seperate VLANs actually can.

    If the 'dirty' switch outside the Firewall has a VLAN configured to allow the ISP device (upstream will be a router somewhere) to talk to the Firewall(s) and another VLAN to allow management/monitoring of the switch then all is well. Even if that VLAN is part of your core network/management network. Assuming you trust that VLANs are generally secure (see link below for some vulnerabilities) and yours sounds like a simple config. If you don't (and many people ARE more paranoid or will not tolerate the risk) then deploy a terminal server to the serial/console port.

    http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml#wp39054
    · Share on FacebookShare on Twitter
Sign In or Register to comment.