Security Design Question

Greetings,

For those of you that design networks or suggest designs do you still feel that layer firewalls (from different vendors) is still a valuable part of defensive in depth? From your experience, do companies tend to use this in the SMB enterprises?

Just want to get someone else's perspective. I am submitting a proposal for our new network design on Wednesday and the other guy and I have some very, very different opinions.

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

SteveO86

Bl8ckr0uter wrote: »

Great information! I am going to have to give this a once over. Since our meeting about network design has been pushed back til Monday, i'll have more time to prepare my design.

Ok I still haven't been able to figure this out. Say I have switches set up like this:

3560>>3560>>3550

or like this:

3560>>3550>>3560

or even like this:

3550>>2950>>3560

Could I still deploy private vlans between the two 3560s? Like if at any frames have to traverse a path that doesn't read private vlans does that negate the ability to use private vlans? Also if the direct path of the switches can read private vlans but they all terminate into switches that either don't read private vlans or aren't configured for them, does that negate the ability to use them? I hope my question makes sense lol

To be honest I haven't had to do a PVLAN trunk yet, but it does sound like an interesting lab to run with Wireshark to see what happens. (or at least some debug commands on the lower end switch).

From I've gathered from Cisco documentation..

Note Multiple PVLAN pairs can be specified using this command so that a PVLAN trunk port can carry multiple secondary VLANs. If an association is specified for the existing primary VLAN, the existing association is replaced. If there is no trunk association, any packets received on secondary VLANs are dropped.

Found here

I have some 2960's but not 2950's... On my 2960's I don't appear to have any private-vlan command syntax at all so it appears the 2960 would drop the packets.

There is information here concerning using a 4500 (Only because it supports PVLANs you should able to do the same with a 3560) that supports PVLANs and 2950 that does not. (about a quarter down the page under Isolated PVLAN Trunk Ports)

In this illustration, a Catalyst 4500 switch is being used to connect a downstream switch that does not support PVLANs.

Traffic being sent in the downstream direction towards host1 from the router is received by the
Catalyst 4500 series switch on the promiscuous port and in the primary VLAN (VLAN 10). The packets are then switched out of the isolated PVLAN trunk, but rather than being tagged with the primary VLAN (VLAN 10) they are instead transmitted with the isolated VLAN's tag (VLAN 11). In this way, when the packets arrive on the non-PVLAN switch, they can be bridged to the destination hosts' access port.

Traffic in the upstream direction is sent by host1 to the non-PVLAN switch, arriving in VLAN 11. The packets are then transmitted to the Catalyst 4500 series switch tagged with that VLAN's tag (VLAN 11) over the trunk port. On the Catalyst 4500 series switch, VLAN 11 is configured as the isolated VLAN, and the traffic is forwarded as if it came from an isolated host port.

So the client ports on the switch that does not support PVLANs needs to be in a VLAN, and on the switch that supports PVLANs the same VLAN number must be configured as an isolated secondary VLAN...

Try rapping your head around that one...

(Hope this helps took a bit to find this information and then had to read it a few times to really get it.. I'm content with PVLANs running on a single switch......for now anyway till I get even more time to tackle this concept of course I don't have that many high-end switches to lab with at all nowadays..)

(I really hope I did not de-rail the main purpose of this thread since it was primarily concerning double firewalls. I only mentioned the PVLANs for increased security in the DMZ)

Bl8ckr0uter

Well we had our discussion today and we are basically going to go with a blend of what the other guy and I said. So now I get to roll out a pfsense firewall w/ snort plug ins. I purchased this book: Amazon.com: pfSense: The Definitive Guide (9780979034282): Christopher M. Buechler, Jim Pingle, Michael W. Lucas: Books

I plan to play with it tonight on my main network.

Forsaken_GA

Bl8ckr0uter wrote: »

Well we had our discussion today and we are basically going to go with a blend of what the other guy and I said. So now I get to roll out a pfsense firewall w/ snort plug ins. I purchased this book: Amazon.com: pfSense: The Definitive Guide (9780979034282): Christopher M. Buechler, Jim Pingle, Michael W. Lucas: Books

I plan to play with it tonight on my main network.

You may also want to pickup the Book of pf to supplement your knowledge. I'm a huge fan of pfSense, but it's basically a stripped down FreeBSD with a webgui to configure the basic tools. Knowing how pf works at the OS level is a good thing

Bl8ckr0uter

I picked this up as well:
Amazon.com: Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort (9781593271411): Michael Rash: Books

I am probably going to pick this up based on your response:
Amazon.com: The Book of PF: A No-Nonsense Guide to the OpenBSD Firewall (9781593272746): Peter N.M. Hansteen: Books