[c-nsp] Briding 2 Vlans on a 2950 switch with a security appliance

[C. Jon Larsen]

I have a in-line Intrusion Detection/Prevention Appliance (implemented 
and outsourced by my customer to a 3rd party security vendor so I have no 
access or control over it). 

With a single upstream router and a downstream firewall/vpn gateway it 
works well as I can plug the upstream device into the upstream port via 
a crossover cable and the downstream device into the downstream port 
via a crossover cable and it happily bridges away.


The problem is that I need to add an additional upstream router (for an 
alternate upstream ISP) and a backup downstream firewall. In order to do 
this I need to break out the crossover cables into vlans on a switch.


When I do that the cisco 2950 switch shuts down the port that the 
appliance connects to on vlan2 because its seeing BPDUs passed thru by the 
bridging appliance from the upstream default vlan (my theory).

This is the message logged by the switch:

May 18 21:51:55: %LINK-3-UPDOWN: Interface FastEthernet0/10, changed state 
to upMay 18 21:51:57: %SPANTREE-7-RECV_1Q_NON_TRUNK: Received 802.1Q BPDU 
on non trunk FastEthernet0/10 VLAN2.

May 18 21:51:57: %SPANTREE-7-BLOCK_PORT_TYPE: Blocking FastEthernet0/10 on 
VLAN0002. Inconsistent port type.

And then the port that was assigned the vlan 2 drops off and moves back 
into vlan 1. 


I tried disabling spanning-tree bpdufilter and bpduguard on the port that 
was dropping off vlan 2 but that did not work. I think I needed to disable 
those on the switch port that handled the other side of the IPS/IDS box 
but I did not do that during the maintenance window as we were out of 
time. 


But then I got to thinking that even if I got this working this might not 
be a good idea from a security standpoint. I'm thinking its probably best 
to have the customer purchase another 2950 switch and to bridge the same 
vlan on each switch using the appliance rather than trying to bridge 2 
different vlans on the same switch using the appliance.


The reason is that if an attacker could somehow gain root/enable on one of 
the upstream cisco routers that said attacker could play arp/mac address 
games and fool the switch into bypassing the IDS/IPS appliance which would 
be a fiasco.


Whereas if I had 2 physically distinct switches with different mac address 
tables bridged by the appliance it would be impossible for the attacker to 
trick or bypass the IDS/IPS since it would be the only physical path 
between the 2 LAN segments on 2 distinct switches.


I'd appreciate any feedback from anyone patient/interested enough to make 
it this far w/o hitting the delete key :=)

TIA,

-jon


-- 
+ Jon Larsen: President/CTO, Richweb, Inc.
+ Richweb.com: Providing Internet-Based Business Solutions since 1995
+ GnuPG Public Key: http://richweb.com/jlarsen.gpg
+ Business: (804) 747.8592 x 101; Mobile: (804) 307.6939