Ethernet Switch With a PC at Core

Has anyone developed an ethernet switch that integrates an Intel PC running a BSD variant or Windows 2000? This would be a great platform for running Checkpoint Firewall-1 in an environment where you wanted to put every PC behind its own firewall-controlled port. I realize that Cisco's 6500 has a firewall module, but a 6500 is a bit more expensive than I want to go.

Alternately, is there a PCI ethernet card that attaches to an external I/O card with 10 or more 10/100 ports per card?

Reply to
Will
Loading thread data ...

I would never use it for an external firewall that is directly connected to the Internet, but for an internal firewall that is used to restrict traffic on the intranet it might suffice. As long you have closed VLANs and put the management port behind a dedicated firewall port, it may be reasonably secure.

What I object to in this design is the need to define so many closed VLANs. And on some switches you might exhaust the number of VLANs that are supported.

Reply to
Will

Just get a 1000mbit Port, and use VLAN support to run 10 or more separate networks on it. We are quite happy with such a setup, using Linux' iptables as the firewall code.

best regards Patrick

Reply to
Patrick Schaaf

they still do - we use a lot of these in our hosted web sites at work

formatting link
they also support gigabit ports - but i dont think the boxes can run them at wire speed.

just remember that checkpoint isnt cheap - a multiport config for your type of application may well need the most expensive unlimited user count licence

Reply to
stephen

On 19.04.2005 07:20 Patrick Schaaf wrote

Your security guys are also happy with this setup? If the switch is compromised so is all of your network connected to it.

Arnold

Reply to
Arnold Nipper

Nokia has/had a router product that was just like this. It was basically Intel PC hardware in rack case, one ot two multi port Ethernet card (4 poirts per card or so) and an operating system based on BSD.

Nokia sold their product with Checkpoint firewall as security appliance.

formatting link

I don't know any such product.

Reply to
Tomi Holger Engdahl

Right, I know about Nokia. But I want something with 40+ ports on it and true switch-like performance that can be used on an intranet as the backbone of the network.

Nokia is a PC with a few four-port cards that runs a BSD variant and Checkpoint in the kernel. I want the same concept with a true switch instead of a PCI bus.

Reply to
Will

The security guys being one and the same as the network guys: yes. You must put trust somewhere.

Everybody who cares can bring their own routers and switches and firewalls. We happily provide the rack space and uplink ports.

On the other hand, not _needing_ to bring new routers and switches, has put a lot of projects behind firewalls, which would otherwise run less protected in some outside LAN, or at least in some internal LAN shared with other stuff. Our way projects are almost all nicely seperated in their own VLANs, easily put behind this or that firewall or loadbalancer, just by reconfiguration. This allows us operational flexibility to do the right thing without much physical moving and reconnecting thought.

Of course, deciding about such things always results in compromise. I can justify some of the decisions easily by also pointing at who is running things. With stronger separation of responsibilities the dividing lines will change.

best regards Patrick

Reply to
Patrick Schaaf

Why not a separate 48-port hardware-based switch for performance and an external PC-based firewall?

Reply to
William P. N. Smith

this is going to cost a fair amount of money - several reasons, but expensive software and specialised hardware with relatively low numbers of devices being made all push up the price.

try the Alteon switched firewall (Nortel Networks) - same basic idea of a packaged PC running checkpoint, but a specialised hardware switch can be used to offload the traffic thru the firewall to hardware.

support 240 or so logical interface, 8 Gig ports, VLANs, virtual firewalls, scaling up by adding more accelerators..

Netscreen make some dedicated boxes for a similar scale, or we go back to a PIX firewall blade.

only other potential path is to use something like traffic filters rather than a purpose made firewall - but even there you are going to want a high end box to get hardware acceleration to get to the kind of performance you are asking for - maybe a Cisco Catalyst 6509 / sup 720 / firewall IOS combination, or maybe high end hardware from Foundry / Extreme?

Reply to
stephen

The beauty of using a firewall port for each machine on an Intranet is that you can:

1) ...easily identify the source of a virus, as when you see a specific machine originating huge amounts of SMTP traffic in the firewall log. Likewise, you can easily spot some program or individual spoofing a different machine's source IP and forbid such machines from getting out to the intranet at all.

2) ...easily control the kinds of traffic allowed between machines on your Intranet. For example, Programmers' computers might be able to browse files on a test database server, but probably your bookkeepers' computers cannot do that. Microsoft has its own approach to controlling access using domain authenticated users. That doesn't help much when a key user password is compromised, and frankly on many intranet machines breaking in to the default security configuration for most Microsoft OS is not hard. A firewall can facilitate setting much more ironclad security policies. For example, in my example above the bookeepers' *computers* won't be able to ping or test any port on most programmer related computers, and it won't matter who logs into that machine. I'm fairly sick of relying on Microsoft's "security", and I'm ready to call in the heavy weapons.

I'm sure that setting such rigid security through a hardware based firewall on an intranet would be cumbersome for a huge company. But for a company with less than 100 employees I think it would not be hard to administer the software security policies on the firewall, if you made intelligent use of Groups in your rules. And you would get payback over and over each time you have a security breach on a specific machine.

Reply to
Will

If you are using a switch, your sniffer won't see all of the traffic. If you configure your switch to duplicate all traffic to the sniffer port, now you create collisions that affect performance. The whole point of using a switch was to optimize traffic flow and avoid collisions.

Do you want to leave your sniffer running 24 hours a day? And what if the machine in question is spoofing its IP? Now you need to go look at MAC addresses and look at your internal documentation about what host that might be. And what happens if it is an unknown Mac address? Now you have to go tear apart your facility looking for the device, which could be almost anywhere.

If you have each host on its own dedicated firewall port, now any rogue device can be immediately located to a specific geography by virtue of the interface on which it enters the firewall.

So now you want me to in effect configure firewall-like rules on every target host? Why is it better to configure 40 hosts instead of configuring one firewall? You sound like you just like the status quo a whole lot more than you like saving your time.

I understand fully well that I can invest every hour of my life making every computer on my network a fortress. That to me sounds a lot like configuring 40 firewalls instead of investing time into configuring one.

I guess time tested explains why on the last four corporate networks of really large corporations, when we plugged our notebooksto their internal networks to give presentations we were immediately attacked by dozens of viruses on many different machines. No one inside the companies noticed and no one cared. It's easy to compromise a default-configured Windows box. That's why 60% of all home machines are virus infested by some estimates. You can use all of the Microsoft tricks like security profiles, but when you turn up security all the way, now all of the default Microsoft services stop working and you end up having to debug which resources they need access to.

Why is this time-tested formula better than simply securing access by a firewall, which offers a much more robust methodology, which is guaranteed to offer many levels of protection even when the machine in question is in an insecure configuration.

No, you have missed the point completely. If you design access to secure machines to only come from certain physically secured hosts, then anyone who steals a userid and password won't be able to login to secured hosts from non-secured workstations because those non-secured workstations are blocked through a firewall. Having a stolen account when you don't have physical access to a machine that can login to the resources you want doesn't do you any good. Firewalls provide an additional layer of security above and beyond what Microsoft's security layer provides. Each has its place, and each complements the other if designed well.

Obviously if your firewall is compromised you are hosed. That's why you physically secure a firewall, and if you are careful you only use separate local accounts on the firewall to authenticate to it. Ideally you use crypto devices to provide a physical token together with a known password, so that a stolen account still cannot compromise that box.

I've read every 200 page security manifesto that Microsoft has written. It takes me more time to secure a single Windows box and then debug permissions that applications need to work than it does to set up a firewall for an entire network. I just want to save time and get results. If you think you can get better results by working with Microsoft's software, it is a free world after all and I won't try to stop you.

Reply to
Will

Uh, you should be able to detect this using any network analyzer including the one that comes with Windows Server.

You don't need individual firewall ports to do this. All that you have to do is block packets which come from machines that do not have a specific matching of MAC and IP addresses. Has this been a problem on your system?

(a) The method that Microsoft uses they copied from Novell and Novell copied it from Banyan and Banyan pretty much copied it from mainframes. It's time tested and properly administered works fine for most situations.

(b) If a key password is compromised your security is down the toilet regardless. What happens in your proposed system when the password for your frankenfirewall is compromised?

How "ironclad" do you need to be?

Have you had a problem with bookkeepers getting into the programmers' machines? In any case this doesn't require each machine to have its own firewalled port.

Why, do you have specific problems? It sounds to me like you haven't really mastered Windows security and you're looking for some kind of shortcut.

It would be cumbersome for any sized company. What leads you to believe that a company with ten thousand employees would have less need for such a system than does yours?

You might be surprised, considering that some of what you want to do requires a different rule on each port.

It looks like you're making much more work for yourself than you need to. Learn to use the tools you have properly. For example you talk about the default security configuration on Windows servers. If you're in charge of this network then why are you using the default configuration? And if you don't have the authority to change the security configuration on the servers I really want to be a fly on the wall the day that management finds out that you've circumvented that stricture by micromanaging network traffic.

>
Reply to
J. Clarke

I see that Cisco and several other switch vendors have features to just copy data to a sniffer port. In our case we have many smaller switches from different vendors rather than one large one, so I'm not sure how easy it would be for us to have all network traffic on a single port. We would also need to make sure that the size of the pipe on that one port was sufficient to hold all of the network's traffic at any peak level, and that might actually exceed a gigabit occasionally in our case.

It still seems like a hassle to deal with a layer 2 / layer 3 sniffer dump compared to a firewall log when dealing with most security issues. I acknowledge that the lower level of detail from a sniffer is sometimes what you need. But I would rather pull out the special tool when I need it rather than have the sniffer act in the role of a security monitor 24 hours a day.

I'm comfortable with the way firewalls work, and I prefer to deal with a firewall log's semantics as a first level response to a security issue. I also want to be free to design a security policy that is imposed on the network regardless of the configuration of the machines on that network. I don't want a security policy that is a side-effect from how well I or others remembered to configure individual machines on the network.

Reply to
Will

If it's broadcasts then all machines will see it. If it's going to the Internet then the bastion host will see it. If it's not detectable by either of those means then it's not producing the vast amount of traffic that you claim.

No, you do not. You may create contention but if you create collisions then you misconfigured something.

Yes. Why not? You might want to look at snort by the way.

And this is a problem how?

What happens if it's an unknown IP address? Same problem. In point of fact, your switch should tell you what port is talking to that MAC address and from there you should be able to trace out the cable to the offending machine.

All that tells you is what port it's on, which any managed switch will tell you.

No, I want you to configure firewall like rules on your firewall. As for configuring firewall-like rules on every target host, configuring 40 firewalls is configuring 40 firewalls--it doesn't matter if they are all in one box or are on 40 separate machines.

If every computer on your network needs to be a fortress then you've got a personnel problem, not a network security problem. In any case, if you'd rather invest every hour of your life trying to use a frankenfirewall to close security holes that should be closed at the OS level, you're not really making wise use of your time.

Were you able to identify which "viruses" were "attacking you"? What was the nature of the attack? Could you identify the machines? How did you know that they were "attacking" you? Did you inform the IT manager of this and provide copies of your logs?

Perhaps there's a reason for that.

So what? It's easy to compromise a default-configured Cisco firewall as well. For that matter read Feynman's tale of the safes at Los Alamos. If the person responsible for security doesn't do his job and change the configuration to one appropriate to his needs, then any system, including your frankenfirewall is easily compromised.

I thought we were talking about machines in your business, not "typical home machines".

Yes, you do. So what? You do this once, you deploy network-wide, you're done until the next problem comes along.

Because managing 100 firewall ports each with a separate configuration is not any easier than getting the security on the machines right, if you don't do it right then it breaks a bunch of services, and since most malware gets into the system via the diskette drives of machines with lax security, which your proposal does _nothing_ to address, it's really tacklin the wrong end of the problem.

You don't need a frankenfirewall to do that. Windows security on the host is quite capable of allowing a userid to be used only on specific machines or classes of machine.

You are correct on this point. But putting a separate firewall on each machine is overkill for almost all situations.

So it sounds like you're willing to put a lot of effort into securing your frankenfirewall. Why not put that effort into your security policies instead?

Reading "200 page security manifestos" doesn't teach you how to use the system. The O'Reilly book on Active Directory is 752 pages and it's just getting you started. Have you gone through it yourself and experimented with it finding how the pieces interact? Have you tried to figure out how to make it deal with the situations you fear?

Well, you've done that. If you kept notes you should be able to set policies systemwide that implement that same configuration on all your Windows boxen.

If you are going to work as a security administrator in a Microsoft shop, you are going to get the best results by mastering the Microsoft security system before you go off trying to invent a frankenfirewall. Once you've mastered Microsoft's security, if you _then_ find it inadequate, it's time to add additional protection. But the things you're complaining about just aren't that hard to do using Microsoft's security.

Start thinking "system". Ask yourself "if I want to set the security on this workstation to do this, what security policies do I have to set in Active Directory". Once you've gotten your mind around doing things using security policies instead of sitting down at the individual workstation and twiddling I think your life will get a lot easier. But the security policies are a complex topic which can't be covered in a few USENET posts.

Reply to
J. Clarke

If the security policy is a matter of "how well I or others remembered to configure individual machines on the network" then (a) you're not using system policies properly and (b) you've got a configuration management problem that you need to address. You should have a standard configuration for all machines, with variants for specific circumstances and a procedure for implementing that configuration. There should be no "remembering" at all involved.

Reply to
J. Clarke

Without digressing into point by point responses, let me give a few examples of why I am more comfortable with firewalls than using Microsoft security policies to secure an internal network.

One user had a virus that immediately started sending out thousands of pieces of SMTP mail. A virus can penetrate the machine and change its security policies. It can sit there in the background for months testing slowly to see where weaknesses are. I don't get any visibility on that, and if my security policies are hacked the way I find out about this problem is when other sites shut off receiving e-mail from our entire company because of spam. Now sure you can use policies to secure ports on machines and local firewall applications to set complex traffic flow policies on machines, and intrusion detection software to see abnormal traffic patterns, etc etc. That's all a lot of work, and for every protection you put up a new virus finds a loophole and you just end up doing more work.

With a firewall within 30 seconds of the first piece of spam originating from the infected host, I have a piece of e-mail. Two minutes later I am in a firewall log that clearly identifies a cubicle where the traffic originates. Three minutes later I have that machine locked down and the breach isolated. I don't need to worry about infection spreading at that point because the machine is physically isolated from every other machine. For the rest of the company it is business as usual and I haven't broken a sweat.

I've done things the other way, using group policies, and careful design of traffic flows, and intrusion detection. The same scenario would cost me hours or days of time without the firewall. Other machines would likely be infected. Been there and done that, and I feel like that is the road to hell. Even when you are very careful with your design, and implement it well, it is quite difficult to contain such outbreaks. What is very frustrating to me about posts like yours is that you apparently don't get outside to other companies very often. Because I am here to tell you that most of corporate America is filled with Microsoft administrators who brag about how great their networks are, and whose networks are a complete and total insecure mess. It's not worth arguing about why that is. It is sufficient to say that it is very very very difficult to keep an open network where every machine can contact every other machine on any port secure.

I just want to save time and be effective. I think a firewall helps me to do that.

Reply to
Will

It doesn't matter, because on the first day it would attempt to do anything that security policy prohibited, I would know about it immediately and take action.

Not that I counted, but I'm told by the Internet sites that track and measure these things that it sent in excess of 10,000 pieces of mail to users all over the Internet.

They aren't any more.

That detail was handled by one of my admins, and I couldn't find documentation right now. It was a while ago.

That depends on what the firewall notifies you about. A virus is going to probe, and if you have the host behind a dedicated firewall port with appropriate rules, you are going to get notified as soon as the first probing begins.

We are still struggling with how that particular machine got infected, and we don't have good forensics for it. Your point on write privileges is very well taken, and mea culpa. I am slowly learning what a good Windows user installation needs to look like, and undoing the legacy of older machines that have inappropriate installations is hard. People build up configurations they depend on and don't want to start from scratch. So I migrate them as time allows.

Without giving away specifics in a public forum, a user's machine would send outgoing mail by a very specific path that 99.9% of all viruses would not follow. So with a firewall we can trap all SMTP connection attempts that don't follow that path.

The firewall on the Internet cannot see into the internal network which is behind a separate proxy.

The best case I can make for an intranet firewall the isolates each internal machine is that

1) It lets you impose a security policy on an unsecured box, or one that was secured incorrectly. 2) It gives you instant visibility when some user or program does anything that violates the security policy.
Reply to
Will

(a) was it _immediately_ sending the mail or did it sit there in the background for months? You can't have it both ways.

(b) To whom was it sending this mail?

(c) Why were your users sending mail directly from there machines at all?

(d) What virus was this?

(e) A virus can pick away at your frankenfirewall just as easily, or do you labor under the misconception that because you're calling it a "firewall" it somehow becomes invulnerable.

(f) How did the virus get on the machine to begin with? Why does the user account have the authority to write to executable files?

If you have viruses getting on your system with regularity you have a problem that is not addressable by firewalls.

So? Why does the firewall have to be attached to a specific machine? How does it distinguish spam from valid mail? Why can't the firewall on your Internet connection make this same detection? Sorry, you're not making a case for firewalling every machine in your facility.

If the machine is physically isolated to that extent then how does the user communicate with other users on your system? Computers exist to do work, not to be secure.

You still have not explained how having each individual machine connected to its own firewall will be more effective at this than having a single firewall.

How? Why do they have mail clients that peers can send to? What is the mechanism by which the virus is spread?

Difficult for _you_ maybe.

Are they working well enough to meet the company's objectives? If so then their security is adequate for their purpose. They may not meet your standards, but I doubt that a DOE Secure Site would meet your standards.

So why do you leave a bunch of ports open on every machine?

A firewall does. A separate firewall for each machine just costs lots of money for little gain.

Reply to
J. Clarke

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.