awakenings
asked on
Risk Analysis for FWSM and Switches
I have an audit coming up and I wanted to find out what the risks are for the following setup and see what my defensive position might be.
We have a border router that goes to a firewall. On the other side of the firewall is a DMZ with servers that people have access to. Beyond that the connection goes to a layer 2 switch. The layer 2 switch then goes to a FWSM on another switch. Technically it is a DMZ, but it has an extra switch in the way. I wanted to find out what the risks are in terms of hackers. What if someone compromized the switch without the FWSM? There are other VLANS on that switch. Is there any way for a hacker to get to the other VLANS from that switch? I'm trying to determine the worst case scenario is to prepare myself for the auditors.
Thanks,
We have a border router that goes to a firewall. On the other side of the firewall is a DMZ with servers that people have access to. Beyond that the connection goes to a layer 2 switch. The layer 2 switch then goes to a FWSM on another switch. Technically it is a DMZ, but it has an extra switch in the way. I wanted to find out what the risks are in terms of hackers. What if someone compromized the switch without the FWSM? There are other VLANS on that switch. Is there any way for a hacker to get to the other VLANS from that switch? I'm trying to determine the worst case scenario is to prepare myself for the auditors.
Thanks,
ASKER
Rajesh,
It is a web server that people access through the firewall to the server sitting on the DMZ. I am still waiting to get the configs of the devices as I have no access so I am not sure what is going on with those devices from a network level. I may have those next week. The firewall is a pix 515e. The switch is a 6009 which is entirely layer 2. The layer 3 switch with the FWSM is a 6509. The 6509 controls the VLANS on the 6009. There are numerous VLANS coming off the 6009. That is what gives me pause because it would seem to me that if they can access the 6009, they can access most of the internal VLANS (is my fear). The network admin says that because the 6509 controls the VLANS, the 6009 has no risks associated with it. I don't buy it so I am trying to see what risks are associated with it.
Thanks,
awakenings
It is a web server that people access through the firewall to the server sitting on the DMZ. I am still waiting to get the configs of the devices as I have no access so I am not sure what is going on with those devices from a network level. I may have those next week. The firewall is a pix 515e. The switch is a 6009 which is entirely layer 2. The layer 3 switch with the FWSM is a 6509. The 6509 controls the VLANS on the 6009. There are numerous VLANS coming off the 6009. That is what gives me pause because it would seem to me that if they can access the 6009, they can access most of the internal VLANS (is my fear). The network admin says that because the 6509 controls the VLANS, the 6009 has no risks associated with it. I don't buy it so I am trying to see what risks are associated with it.
Thanks,
awakenings
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Rajeesh,
My role is purely audit. I have no ability to configure devices. I also can not post configs, but I can look for VLAN ACL's and determine if any traffic is allowed through. If someone were to hack the server on the DMZ, could they then hack the 6009? Obviously they could poison the CAM table. If so, could they alter VLAN assignments from the 6009? Could they gain access to all the other computers on the other VLANS from the 6009? Remember the 6009 is between the DMZ and the FWSM (which is on the 6509) which provides the layer 3 configurations. Your point about traffic that look legit is well taken however. I may try to run nmap from alternate locations on the network, but that may take a week or two to complete for reasons I will not go into.
Any other suggestions?
awakenings
My role is purely audit. I have no ability to configure devices. I also can not post configs, but I can look for VLAN ACL's and determine if any traffic is allowed through. If someone were to hack the server on the DMZ, could they then hack the 6009? Obviously they could poison the CAM table. If so, could they alter VLAN assignments from the 6009? Could they gain access to all the other computers on the other VLANS from the 6009? Remember the 6009 is between the DMZ and the FWSM (which is on the 6509) which provides the layer 3 configurations. Your point about traffic that look legit is well taken however. I may try to run nmap from alternate locations on the network, but that may take a week or two to complete for reasons I will not go into.
Any other suggestions?
awakenings
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Rajesh,
You did a pretty good job putting things in perspective and justifying some of the concerns I had. Many, if not all, of the items you mentioned to block are on our build document. So from an audit perspective, it sounds like we may be ok if our configurations are good. The possible / probably risk is really DOS or DDOS (which I do believe is small because the border router in that case only goes to a network that, in theory, should also have fairly high security). To protect myself from the audit, do you think it would be wise to put a firewall up between the 515e and the 6009 switch to better protect ourselves?
At the moment, the points are basically yours.
Awakenings
P.S. I do agree that passwords on network devices can be cracked in minutes. There are many web sites that will perform that crack for you. That is why we use another method. :)
You did a pretty good job putting things in perspective and justifying some of the concerns I had. Many, if not all, of the items you mentioned to block are on our build document. So from an audit perspective, it sounds like we may be ok if our configurations are good. The possible / probably risk is really DOS or DDOS (which I do believe is small because the border router in that case only goes to a network that, in theory, should also have fairly high security). To protect myself from the audit, do you think it would be wise to put a firewall up between the 515e and the 6009 switch to better protect ourselves?
At the moment, the points are basically yours.
Awakenings
P.S. I do agree that passwords on network devices can be cracked in minutes. There are many web sites that will perform that crack for you. That is why we use another method. :)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Rajesh!
Thanks! All the other aspects of security we pretty much have. I do my best to keep up to date with NIST and DISA and I set the standards for securing the web server so they should, in theory, be doing the work. We do dest with many of the vulnerability analysis tools as well. Due diligence is my job!
Thanks!
Thanks! All the other aspects of security we pretty much have. I do my best to keep up to date with NIST and DISA and I set the standards for securing the web server so they should, in theory, be doing the work. We do dest with many of the vulnerability analysis tools as well. Due diligence is my job!
Thanks!
Perfect, that should be the way to go about it.
Cheers,
Rajesh
Cheers,
Rajesh
What is that you have open on your firewall (web/smtp ???) etc etc. and where they are actually in the picture.
Cheers,
Rajesh