Page 1 of 1
Control traffic between VLAN (ACLs etc)
Posted: 27 Dec 2011 11:16
by jonha134
The main purpose of VLANs is to separate resources from each other. However you usually have to allow some traffic between VLANs. Depending on the characteristics of the protocol it (if I understand things correctly) may be very hard to write good ACLs without using stateful inspection and reflexive ACL:s. Lets say I have a FTP server on one VLAN and FTP clients on the other VLAN. How can you create secure ACL:s for that scenario? Am I asking the wrong question?
Re: Control traffic between VLAN (ACLs etc)
Posted: 28 Dec 2011 03:37
by devnull
In my experience it should work, but is a pain in the a** You have no protocol inspection, no stateful firewall aso.
Deploying a firewall and it should be much easier. (at least if you have more that 2 or three rules).
Re: Control traffic between VLAN (ACLs etc)
Posted: 28 Dec 2011 03:47
by jonha134
Thank you devnull, it confirms my concern.
My conclusion is that VLAN is excellent for totally separating network segments, but as soon you need to have "some" information exchange between two VLAN, usually the best or even only solution is to use an external FW. Two VLANs with routing enabled provides of course no security at all.
I encourage anyone to tell me why I am wrong! Does modern switches have more advance firewalling between VLANs built in?
Regards,
Jonas
Re: Control traffic between VLAN (ACLs etc)
Posted: 28 Dec 2011 08:45
by one6f
Hi,
jonha134 wrote:Lets say I have a FTP server on one VLAN and FTP clients on the other VLAN. How can you create secure ACL:s for that scenario?
please see attached config.
It's a pure FTP qos, hence all other communication to the both vlans is denied.
So you can from Vlan20 using ftp client get data from ftp server (or servers) in Vlan10.
It goes without saying that the ip interfaces for vlans must be configured on the switch.
Two VLANs with routing enabled provides of course no security, but ACL do it:
Code: Select all
qos console
policy service ftp destination tcp port 21
policy service group vl10_services ftp
policy service ftp_data source tcp port 20
policy service group vl20_services ftp_data
policy network group vlan10 10.10.10.0 mask 255.255.255.0
policy network group vlan20 10.10.20.0 mask 255.255.255.0
policy condition any_v10 source ip Any destination network group vlan10
policy condition any_v20 source ip Any destination network group vlan20
policy condition v10_v20_ftp source network group vlan10 destination network group vlan20 established
policy condition v20_v10_ftp source network group vlan20 destination network group vlan10 service group vl10_services
policy condition v20_v10_data source network group vlan20 destination network group vlan10 established
policy condition v10_v20_data source network group vlan10 destination network group vlan20 service group vl20_services
policy action deny disposition deny
policy action permit
policy rule v20_v10_ftp condition v20_v10_ftp action permit log
policy rule v10_v20_ftp condition v10_v20_ftp action permit log
policy rule v20_v10_data condition v20_v10_data action permit log
policy rule v10_v20_data condition v10_v20_data action permit log
policy rule any_v10 condition any_v10 action deny log
policy rule any_v20 condition any_v20 action deny log
qos enable
qos apply
[/size]
Re: Control traffic between VLAN (ACLs etc)
Posted: 04 Jan 2012 10:12
by jonha134
Thank you one6f.
I am quite new to Alcatel ACLs. Does your policy block all traffic initiated from the server VLAN towards the client VLAN (except for the required traffic for FTP)?
As I see it, if you want a few more services permitted, the ACL becomes quite large and thus hard to manage or almost impossible (at least for a inexperienced users) over time. I Would almost say that it would be easier with an external firewall manage traffic between VLAN:s? Do you agree?
Re: Control traffic between VLAN (ACLs etc)
Posted: 05 Jan 2012 06:51
by one6f
Hi Jonas,
it really depend on your requirements. You can use a AOS as a form of Firewall but you need to know a lot of things in advance. If you just want to stop a certain type of packets coming from a known IP address, you can construct an ACL to prevent this. AOS ACL's come in handy as "internal firewalls" to filter out certain types of packets or frames on your network, but if you are looking for something to put out as your border defense for the entire network you need a firewall.
A L3 switch with an ACL examines the IP(or MAC) source address, destination address and protocol(or range). If the packet matches a rule, it is permitted or denied. It's simple packet filtering.
A real firewall performs stateful packet inspection and has some more features(NAT, application layer access control...). This offers a higher level of protection than simple packet filtering. It pay attention to the state of the connection and maintains a table of connections.
As an example, with simple packet filtering it is simple to bypass the ACL by sending packets with the ACK flag set. This will trick your ACL to believing it is part of an already established connection and forward the packet through. A firewall with state-full inspection will see that there is no such connection since it maintains a state table, and will drop that packet.
Re: Control traffic between VLAN (ACLs etc)
Posted: 06 Jan 2012 01:45
by jonha134
Thank you one6f. It was the answer I was looking for. I will look at exactly how complex the traffic (and security req) that is needed between the VLANs is and from there determine wether an actual firewall is needed. It is a guest vlan that might need to have some access to internal servers on a different VLAN.