1999-03-16-15:20:00 Bill Husler:
> We have networks with varying levels of trust [...] and intend for traffic
> flowing between these networks to traverse firewalls. It has been suggested
> that we implement this with a single (actually multiple for redundancy)
> Cisco Switch using VLAN technology to isolate the varying levels of trust.
I surely wouldn't. Go with smaller switches --- or hubs, or routers --- for
the various networks. Keep 'em separate. A smaller switch is cheaper than a
bigger one. Some of the nets won't need the performance of a switch; hub might
be great for them. Others might profit from a multi-port router; if you didn't
want to budget a huge wad o' $$$ you could do a nice one on the cheap with
Znyx boards[1]. But if you're thinking about a multiple big Cisco switches,
cost is clearly no object:-). Switches are designed as performance-enhancing
gizmos, not security barriers, and traditionally they've been slow to get
security fixes. I wouldn't build a security design that depended critically on
switches not being compromised.
-Bennett
[1] <URL:http://www.znyx.com/products/netblaster/zx340.htm>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
