Just some comments ... I had a similar experience, when working for a large hospital system. Some network engineers wanted to connect the firewall directly to a switch to make the VLAN design easy for that environment. We even toyed with the idea of using ATM for firewall interfaces (VLAN was being implemented inside the trusted network). Finally we agreed upon to place a router between the firewall and the inside network (instead of connecting the firewall directly to a switch). Within the trusted network, I believe implementing varying level of trust between networks using VLAN technology is fine (some may not agree with this, depending on the applications they are running). Paul V. Alukal Consultant (www.securedigit.com) Bristol-Myers Squibb Company Princeton On Tue, 16 Mar 1999, Salchow, Kenneth Jr. wrote: > > We have been wrestling with some of the same issues. Your primary problem > with the VLAN approach comes in the ability for someone to completely > circumvent your firewall and directly connect your corporate network to the > internet should they gain access to the switch configuration (or circumvent > the firewall in other means depending on their objective). > > Some thoughts I've had: > maintaining the router ACL which some want to remove, to prevent attachment > to the switch IP. > directly connecting the firewall interface to the router rather than through > the switch. > > There are issues with these as well, but hey, at least you know you're not > alone. :-) > > > Ken Salchow, Jr., MCSE, CNE, ASE > LAN Analyst - Internet Services Group > Best Buy Co., Inc. World Headquarters > 7075 Flying Cloud Drive > Eden Prairie, MN 55344 > Phone: 612.995.5413 > FAX: 612.947.4104 > [EMAIL PROTECTED] > > > -----Original Message----- > > From: Bill Husler [SMTP:[EMAIL PROTECTED]] > > Sent: Tuesday, March 16, 1999 9:20 AM > > To: [EMAIL PROTECTED]; fw-1-mailinglist > > Subject: [FW1] Multiple levels of trust on one switch (Cisco) > > > > > > We have networks with varying levels of trust: > > > > 1. Internal network > > 2. Web Servers... > > 3. Internet > > > > and intend for traffic flowing between these networks to traverse > > firewalls. It has been suggested that we implement this with a single > > (actually multiple for redundancy) Cisco Switch using VLAN technology to > > isolate the varying levels of trust. The resistance to this approach is > > proposing that the different levels of trust should be physically > > separated. Any comments? > > Bill > > > > > > ========================================================================== > > ====== > > To unsubscribe from this mailing list, please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ========================================================================== > > ====== > > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ > - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
