[fw-wiz] need opinion of security experts on network design - Firewalls

This is a discussion on [fw-wiz] need opinion of security experts on network design - Firewalls ; Hi All, I've been asked to give an opinion on a network design in which the designer did the following to a network on multiple buildings of multiple floors: 1-each floor is a separate VLAN 2-all switches in the floors ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: [fw-wiz] need opinion of security experts on network design

  1. [fw-wiz] need opinion of security experts on network design

    Hi All,
    I've been asked to give an opinion on a network design in which the
    designer did the following to a network on multiple buildings of
    multiple floors:
    1-each floor is a separate VLAN
    2-all switches in the floors are layer 3 switches (no layer 2 switches at all)
    3-no VLAN spans multiple swtiches,
    4-each of the floors' switches are connected via point-to-point
    interconnecting VLAN to a core switch
    5-No spanning tree at all in the network as each switch is a different
    unique VLAN
    6-All VLANs routing are done via OSPF protocol
    so i have about 50 VLANs with about 50 interconecting VLANs

    can any one gives me his opinion from security point of view on that design?

    thank you very much

    regards,
    Nad
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@listserv.icsalabs.com
    https://listserv.icsalabs.com/mailma...rewall-wizards


  2. Re: [fw-wiz] need opinion of security experts on network design

    > Behalf Of shadow floating
    >
    > Hi All,
    > I've been asked to give an opinion on a network design in which the
    > designer did the following to a network on multiple buildings of
    > multiple floors:
    > 1-each floor is a separate VLAN
    > 2-all switches in the floors are layer 3 switches (no layer 2
    > switches at all)
    > 3-no VLAN spans multiple swtiches,
    > 4-each of the floors' switches are connected via point-to-point
    > interconnecting VLAN to a core switch
    > 5-No spanning tree at all in the network as each switch is a different
    > unique VLAN
    > 6-All VLANs routing are done via OSPF protocol
    > so i have about 50 VLANs with about 50 interconecting VLANs
    >
    > can any one gives me his opinion from security point of view
    > on that design?


    You need to start by defining your requirements. If you just want to
    keep users from sniffing passwords, that's overkill (any switch will do
    that). If you want to prevent any intercommunication between users on
    different floors, then you need to define a firewall somewhere.

    Define your requirements, then build to it. I'll say that what you have
    defined is very flexible so it can probably work as a base for any
    security requirements, and your biggest concern will probably be
    avoiding management complexity.

    Thanks,
    Josh
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@listserv.icsalabs.com
    https://listserv.icsalabs.com/mailma...rewall-wizards


  3. Re: [fw-wiz] need opinion of security experts on network design


    On Jun 15, 2008, at 5:57 AM, shadow floating wrote:

    > Hi All,
    > I've been asked to give an opinion on a network design in which the
    > designer did the following to a network on multiple buildings of
    > multiple floors:
    > 1-each floor is a separate VLAN
    > 2-all switches in the floors are layer 3 switches (no layer 2
    > switches at all)
    > 3-no VLAN spans multiple swtiches,
    > 4-each of the floors' switches are connected via point-to-point
    > interconnecting VLAN to a core switch
    > 5-No spanning tree at all in the network as each switch is a different
    > unique VLAN
    > 6-All VLANs routing are done via OSPF protocol
    > so i have about 50 VLANs with about 50 interconecting VLANs
    >
    > can any one gives me his opinion from security point of view on that
    > design?
    >
    > thank you very much
    >
    > regards,
    > Nad



    Nad,

    While this design provides vast segregation and simplifies Edge adds/
    moves/changes from a security perspective, it provides unnecessary
    complexity at the Core, making it harder to enforce security policies
    and leaves the door open for vulnerabilities from misconfiguration.

    Each network is unique to meet the requirements of one or many
    organizations. However, as a network and security professional, I
    have a number of general concerns with this design:

    1) "Each floor is a separate VLAN" & "no VLAN spans multiple switches"

    How large are the floors in question? Where are the communication
    closets laid out? Having a 90m distance limitation in the horizontal
    run from the closet may cause cabling issues, and introduce additional
    closets/switches/VLANs on a given floor, unless the "no VLAN spans
    multiple switches" rule is broken, and this would also affect the "no
    spanning tree" rule. I can picture half a dozen situations where adds/
    moves/changes clash against the design.


    2) "Each of the floors' switches are connected via point-to-point
    interconnecting VLAN to a core switch"

    This is one of the areas I see potential for misconfiguration.

    What is being done to address redundancy? Sectioning off each switch
    as its own VLAN straight to the core creates unnecessary traffic, and
    can be an excellent point of attack for network snooping or denial of
    service. The omission of a distribution layer can increase overhead
    and latency, and reduce network survivability.

    Not to mention, since this is over multiple floors and buildings,
    traffic has to span greater distances to get to the Core, which
    increases latency, and requires a vast amount of backbone
    interconnects, since the distances in question would not be suitable
    for copper. It would require over 50 connections to the Core over
    fiber (assuming single links, no redundancy), since copper is well out
    of the question. Labor for installation, termination, and testing of
    the fiber optic cabling, GBICs and fiber jumpers for connecting the
    hardware, and maintenance/repair of the optical circuits is many times
    more expensive than a traditional Core-Distribution-Edge approach.
    What advantage does this design provide? Little to none, in my opinion.


    3) How are occupants of the building laid out? Is each floor a unique
    organization? Is it a department? Are all the individuals that need
    access to the Accounting/Financial servers in the same work area, and
    thus on the same switch/VLAN? If not, how will your access controls
    to your financial database, for example, take place? This would
    require a long list of firewall rules to regulate access from diverse
    points on the network, and would be hard to maintain, susceptible to
    misconfiguration, and generally a security risk that could be avoided.


    I would take the time to generate a list of requirements, before
    approaching a design. Some factors to consider include:

    * Who is accessing the network, and from where? (layout of the
    organization(s))
    * What do clients need access to? Can these functions be grouped?
    * What boundaries should exist between clients and servers, clients
    and the Internet, clients and other clients, etc?
    * What level of service does the network need to provide? (things will
    break! what is acceptable, what isn't)

    Your requirements should be derived from business and regulatory
    factors. Then, draft a physical design to meet your requirements.

    Cheers,

    Andrew

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@listserv.icsalabs.com
    https://listserv.icsalabs.com/mailma...rewall-wizards

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.7 (Darwin)

    iQEVAwUBSFgseAhPqVlzKBSlAQJ2pgf/XUA+kjiyfLgEgTu2DebPt2OxvFPIrIAJ
    I2ly86vgE/WVJD/vcVnIeJsARKOI0MO4MsITsZw+d76OSiai5TNlvlvcwiRh6NxC
    mE+UVn+VFFusVezTt/qspmqNypd4RNvWgOnIU9XDFARXD7dNEeUDwgUG6KuWAhIo
    Z0ZP1LHaUHk9KLP3uVTeXAPJ5WgX8wi6552qVPrm5LKSI3cnoM YqdrsGv94+6PbY
    tLGYfiSquEbpEjVeeY2/LyMNWG2jHUNS2yfu1HDnUvVZ/i6nxulmsw3b0GbJ3r2z
    v5asmXTmvxI8WkxlOGVEfkyvt5aOKYHHnSF1UCwTuz+z73p/RfsfZA==
    =BjU8
    -----END PGP SIGNATURE-----


  4. Re: [fw-wiz] need opinion of security experts on network design

    Hello,

    > 1-each floor is a separate VLAN


    If you can guarantee that each floor will stay a separate collision
    domain, then I would use separate LANs, i.e. Layer 2 switches for
    the floors.

    > 2-all switches in the floors are layer 3 switches (no layer 2 switches atall)


    Why? Nothing in your architecture requires this.

    > 3-no VLAN spans multiple swtiches,


    Especially because of 1 and 3.

    > 4-each of the floors' switches are connected via point-to-point
    > interconnecting VLAN to a core switch


    Now, for the core switch I would use a pair of layer 3 switches, statically
    assign a VLAN for each floor to an _access_ port on each of them,
    and connect each floor switch via two uplink ports to each of the core
    switches.

    The core switches can do the routing statically, since you only
    ever configure layer 3 information on two devices. They can
    provide redundancy to the access/distribution layer (floor switches
    and hosts) via HSRP (in a Cisco world) or some similar means for
    layer 3 and spanning tree for the layer 2 connections.

    > 5-No spanning tree at all in the network as each switch is a different
    > unique VLAN


    No spanning tree => no redundancy on layer 2 unless I missed something.

    > 6-All VLANs routing are done via OSPF protocol
    > so i have about 50 VLANs with about 50 interconecting VLANs
    >
    > can any one gives me his opinion from security point of view on that design?


    Security = C * 1 / Complexity

    Your design looks overly complex for the architecture requirements
    sketched in 1 - 4.

    Kind regards,

    Patrick M. Hausen
    Leiter Netzwerke und Sicherheit
    --
    punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe
    Tel. 0721 9109 0 * Fax 0721 9109 100
    info@punkt.de http://www.punkt.de
    Gf: Jürgen Egeling AG Mannheim 108285
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@listserv.icsalabs.com
    https://listserv.icsalabs.com/mailma...rewall-wizards


  5. Re: [fw-wiz] need opinion of security experts on network design

    Hello,

    Sorry for answering myself, but this needs to be corrected:

    On Wed, Jun 25, 2008 at 06:49:17PM +0200, Patrick M. Hausen wrote:
    > If you can guarantee that each floor will stay a separate collision
    > domain, then I would use separate LANs, i.e. Layer 2 switches for
    > the floors.


    ^collision^broadcast

    Kind regards,

    Patrick M. Hausen
    Leiter Netzwerke und Sicherheit
    --
    punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe
    Tel. 0721 9109 0 * Fax 0721 9109 100
    info@punkt.de http://www.punkt.de
    Gf: Jürgen Egeling AG Mannheim 108285
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@listserv.icsalabs.com
    https://listserv.icsalabs.com/mailma...rewall-wizards


+ Reply to Thread