3

I'm looking at implementing a pfSense firewall on a network, and I've a number of options when it comes to implementation. Specifically, I can either:

  1. Stick each network zone (WAN, DMZ, core) on separate interfaces going into the firewall device.
  2. Pipe a single dot1q trunk into the firewall containing the 3 VLANs carrying the different networks and get it to firewall between them.

The nervous twitchy bit of me is leaning towards (1) as differently trusted traffic is neater on physically segregated networks. However, (2) seems a little neater, and requires fewer NICs on the firewall.

Obviously, (2) has a bandwidth disadvantage, I can only pipe 1Gbps total across all networks through the firewall, but this isn't a concern for the moment.

My question is, does going with (2) present any additional risks that I'm not aware of? Could an attacker sitting on the WAN network be able to intercept / alter traffic on the other two networks just by sharing a dot1Q trunk going into the firewall with them?

growse
  • 8,020
  • 13
  • 74
  • 115

2 Answers2

4

One class of vulnerability to be aware of is referred to as "vlan hopping" - there are some methods of attack out there wherein an attacker can add an 802.1q header to a packet, or add an extra one onto a packet that already has one (which is legal under the spec), with the intent of having some piece of equipment forward the packet to a network where it shouldn't go within the network's normal operation.

However, there are certainly limits - in this day and age, the attack would need a serious network misconfiguration to be vulnerable (a port that's ignoring tags facing a port that accepts tags, attacker access to a dynamic-trunking-protocol Cisco port, or attacker access to a port that accepts tags that it's not supposed to), rather than a vulnerability in the network device software itself - most should be good about not letting tagged packets out of access ports, for example.

An attacker would need to be on the same broadcast domain as your WAN interface to even attempt this attack, and there's a limited number of vlan-aware devices, which leaves little surface area for this misconfiguration.

There an interesting article attempting a proof of concept attack against Cisco gear here.

Honestly, the larger security risk that physical separation protects against here is that of simple misconfiguration - accidentally accepting packets tagged for the inside vlan on the WAN interface, or accidentally plugging the WAN link into an access port for the inside vlan.

A carefully planned and properly configured single-interface layout can certainly be just as secure as an air-gapped configuration, as long as you understand the risks and potential threats.

Shane Madden
  • 114,520
  • 13
  • 181
  • 251
  • A good point about the misconfiguration side of things. I do recall reading that a lot of vulnerabilities were down to human cock-up, rather than inherent faults. Discrete interfaces = simpler. – growse Dec 21 '11 at 23:19
2

Short answer is no, they should be equivalent. You've already mentioned the shared bandwidth, so the the exception would be a DOS attack on one interface could affect traffic on the others, but from a security standpoint, they shouldn't be able to access the other VLANs.

This all assumes that the VLANs are properly configured and segregated (firewalled) from each other.

Jim G.
  • 2,657
  • 1
  • 19
  • 19
  • The key point is that the device on each end of every physical link that carries packets from different security zones must be correctly configured. – David Schwartz Dec 22 '11 at 02:28