[KLUG Members] RE: Multiple networks on a single switch?-Ahhh

[Bob Kanaley]

Many thanks to Andrew and Adam for clearing some of the fog on the Shorewall
doc's.

> I was reading
> >the Shorewall doc's for a three interface configuration
> (PPP, DMZ, LOC). The
> >Shorewall docs said "Do not connect more than one interface
> to the same hub
> >or switch (even for testing). It won't work the way you
> expect it to and you
> >will end up confused and believing that Shorewall doesn't
> work at all."
>
> Thats just silly.  If I plug two interfaces from one host
> into the same
> switch/hub it will work exactly as I expect it will.

The source of the silliness was from my mis-application of the specifics of
my network to the general case being described in the Shorewall doc's. I
should have said that I was reading the doc's for a three interface
configuration of eth0, eth1, eth2 with public IP's to apply it to my three
interface configuration of PPP, DMZ, LOC with RFC 1918 Class C addressing in
the DMZ and LAN.

Thanks to the excellent explanation by Andrew (who obviously knew more about
my question than what I wrote), I actually  understand why the Shorewall
doc's had to have the caveat on not allowing two interfaces on one switch.

Thank you Andrew!

The specific problematic situation of having an external interface in the
DMZ did not pertain to my network (or to Adam's), so the prohibition made no
sense to me (and seemed silly to Adam). The situation as described by me was
just plain silly. My apologies and thanks to the list for their forbearance
(OJT?).

> >Now, I can understand why putting two interfaces on a hub
> would cause many
> >problems (hubs basically repeat anything coming in on one
> port out to all
> >the rest of the ports). But I don't understand why I
> couldn't use a single
> >48 port switch to connected to two interfaces on different
> networks (DMZ and
> >LOC). I would think that the switch routing table should be
> smart enough to
> >know which ports belong to which network and only push
> network broadcasts
> >out to the appropriate ports.
>
> Because there isn't any mechanism stopping the sending of
> packets you don't
> intend across the switch.  It just isn't secure.
>

By not being secure Adam, are you are addressing the issue that both DMZ and
LOC packets are being pushed across the same switch so that anyone able to
grab switch traffic would see packets from both networks, thereby obviating
the distinction between LOC and DMZ?

If so, I actually called 3Com to see if I could do something of this sort
with my switch. After reading your excellent presentation on Ethernet, I
downloaded etherape and wanted to do some traffic monitoring. But my $800
3Com switch does not have any management or monitoring features. 3Com said I
would not be able to catch all the port packets even on the Gigabit port.
3Com said I can't even do port mirroring to look at specific port traffic
:-(. It's dig out the old hubs and monitor one switch port at a time.

> >Am I attributing too much intelligence to the switch?
>
> Not if your switch supports vland.

Not a chance. All I have is 802.1d (bridging). 3Com pre-sales is supposed to
be calling me with switch interop and upgrade options to see what I can
connect to my current switch and maybe get some management capabilities. I
think the next model up supports 802.1Q VLAN, and SNMP for about $1300.

>
> >I don't see how the problem could be with Shorewall since
> the router decides
> >which packets go to which ports.
>
> It isn't a "problem", it is just easily overcome via packet forging.
> >Before I get myself in a real mess, could someone please
> enlighten me as to
> >why I couldn't or shouldn't use a single switch connected to
> two interfaces
> >on a Shorewall three interface firewall?
>
> You could but you wouldn't really be creating a DMZ.
>

I guess that I can put my old 8 port Kingston 10/100 switch on the firewall
DMZ interface. But I am not really sure that makes me a whole lot more
secure from packet forging.

Since I am using RFC 1918 class C addresses on both my LAN and DMZ, and
specifically blocking these addresses on my external interface, PPP, and in
addition, my firewall rules keep any packets originating in the DMZ from
being routed to the LAN, I believe that any packet forging would have to be
done from behind my firewall to transverse the switch to go from DMZ ports
to LAN ports.

Maybe I am missing something here, but it would appear to me that with my
firewall configuration, someone would have to attack one of the three
services I am running the DMZ from the external interface, break out of the
chroot jails they are running in, then have to forge packets to look like
they originated in the LAN to get the router to pass them through to the
LAN. I suspect that anyone good enough to do all that is certainly not going
to be stopped by my putting the DMZ on a separate switch.

> It will probably be easiest to understand if you have a look at this
> location:
>
> http://shorewall.sourceforge.net/shorewall_setup_guide.htm#Routed
>
> It's section 5.1 of the Shorewall Setup Guide, which
> describes setup for
> a routed network. You'll want to look very closely at the
> diagram to see
> which IP addresses are where in the example. Apparently, when
> a machine
> sends an ARP request for an IP that happens to be on the firewall but
> NOT assigned to the interface connected to that zone, the
> firewall will
> actually reply with the MAC address of the interface that IS in that
> zone. When the firewall has TWO interfaces attached to the same zone,
> this may then lead to a race condition where the MAC address reported
> for the given IP depends on which interface catches it first. Just how
> much of a problem this is I don't know. The link above should
> (hopefully) explain it better.
>
> --
> Andrew Thompson <tempes@ameritech.net>
> The Imagerie

Bob

Robert V. Kanaley
Manager Information Systems
Agdia, Inc.
rvk@agdia.com
http://www.agdia.com