Question on PVLAN
Let's say I have a perimiter network on a firewall segment that I want to
protect with PVLAN. We would use the PVLAN to force all communication
between machines within that perimeter to go through the firewall. The
problem I am seeing with this configuration is that the firewall would
normally just ignore communications between computers on the same segment,
figuring that such communication is direct between the computers.
To make this work, are we supposed to configure a proxy arp on the firewall
segment, to fake out machines on the network into thinking that all the
target IPs on that network go the firewall's port? Do we need to configure
the network on the firewall to be a single IP (class mask 255.255.255.255)?
Obviously the answer may be firewall dependent, but how would you make the
firewall work with a PVLAN perimeter network for the case of Checkpoint
Firewall-1, Microsoft ISA Server, and Cisco PIX?
It looks like the only "easy" way to make this work is to be sure that all
machines in one PVLAN don't need to ever talk to each other....
Re: Question on PVLAN
You may also wish to investigate the Private VLAN Catalyst Switch
as well as Securing Networks with Private VLANs and VLAN Access Control
Configuring Private VLANs:
and VLAN INSECURITY - VLANS WERE CREATED TO ISOLATE LANS, BUT NOT FOR
THE PURPOSES OF SECURITY:
Hope this helps.
BradReese.Com - Refurbished Cisco PIX Firewall Guide
1293 Hendersonville Road, Suite 17
Asheville, North Carolina USA 28803
USA & Canada: 877-549-2680
BradReese.Com - Cisco Power Supply Headquarters
|All times are GMT. The time now is 12:45 PM.|
Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.