This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Paul_Rutkowski
Participant
‎2018-06-29 07:04 AM

Combining all interfaces in one bond, how bad is this practice?

Tim Hall

Recently you contributed to the above reference post. I am in a similar situation where our network team would like me to add DMZ vlans to an already existing LACP bonded interface that supports our inside networks. I view this as a security risk. I have always practiced keeping my inside networks separated by physical interfaces from my DMZ's or Internet. This is to limit the risk of potential DDOS attacks flooding the interface. They argue that ports on the core are limited is this is the design they want to implement moving forward. Am I wrong in my thinking?

Thank you.

3 Replies
PhoneBoy
Admin
Admin
‎2018-06-29 01:31 PM

If you want Tim Hall to see this, you should:

  • Tag him correctly
  • Post this in a public space

I can move this to the correct space (and correct the post) if you wish so he can see it.

My take: I agree with you.

Having separate physical interfaces and different physical switches for different zones with different security requirements is best practice.

0 Kudos
Paul_Rutkowski
Participant
‎2018-06-30 05:49 AM
In response to PhoneBoy

Dameon,

That would be great . Thank you for your feedback as well.

Thank you,

Paul

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2018-06-30 12:15 PM

I agree with you as well, ideally your DMZ switches should be separate from your internal switching infrastructure such that it is physically impossible to get from a compromised DMZ system to somewhere on the inside network without going through the firewall.  By trunking internal networks with DMZ networks on the same physical interface there is potentially a path from the DMZ to the inside network that does not involve the firewall, as in the switch itself.  Read about VLAN Hopping and other VLAN-based Network Attacks  for some more background in this area.

Now with a properly-configured switch these types of attacks should not be successful, but the key word here is "should". It is still PHYSICALLY possible if there is a zero-day exploit for the switch or a new VLAN attack technique discovered.  I'll gladly take "physically impossible" since short of someone gaining physical access to your facilities (which is a whole different problem) there is no way the discovery of a new VLAN/switch exploit will help an attacker. 

One could argue that a new vulnerability could be found for the firewall itself, but I'd wager that possibility is many orders of magnitude less likely on a security-oriented device like a firewall rather than a network-oriented device like a switch.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events