Network Managemt extending to outside of firewall

Wed, 17 Mar 1999 14:42:14 -0500 

Recently, an interesting aspect of switching/vlan technology 
has presented itself as regards external/internal connectivity
and proactive network management.

Input to this discussion would be appreciated.

Business clients, and partners connect to the Enterprise through 
external access hubs, routers, and firewalls.

The hub on the external side of the firewall is not managed by 
Enterprise Network Management, however as more and more mission critical 
apps are being supported in this type configuration, the need for 
proactive network mangement to reach the external side of the connection 
is becomming a requirement.

The Enterprise is in the process of a network upgrade to switched 
Ethernet Technology as a common platform.  The point that will touch the 
external access as well as the point that will touch the internal side 
of the firewall will be uprgraded to a switched platform as part of the 
upgrade.(Not negotiable)

The configuration that is being proposed is as follows:
(Where vlan2 will be used for proactive and reactive management as well 
as providing the conduit for snmp.)

        - Untrusted Feed -         Untrusted
                |                   Server
                |                  ________
                |                  |      |
                |        __________|      |
                |        |         |      |
SW1|------||---------------|       |______|
    vlan2   untrusted vlan
      |         |
      |         |
      |     ----------------
      |     |              |
      |     | Firewall     |
      |     |              |
      |     ----------------
      |              |
      |              |
SW2|------||---------------| 
    vlan2    trusted vlan

VLAN2 and the trusted Vlan would the be routed to the Enterprise 
Infrasturcture.

Understanding that switches are not designed as secuity devices, and I 
do not know all of their vulnerabilities I have proposed the following:

                           - Untrusted Feed -      Untrusted
                                   |                Server
                                   |               ________
                                   |               |      |
                                   |     __________|      |
                                   |     |         |      |
                 SW1|------||---------------|      |______|
                      vlan2   untrusted vlan
                        |         |
    ---------           |         |
   |         |          |     ----------------
   |Firewall |__________|     |              |
   |         |                | Firewall     |
    ---------                 |              |
       |                      ----------------
       |                               |
       |                               |
  Enterprise       SW2|------||---------------| 
       |               vlan3    trusted vlan
       |                 |
       |                 |
     Network Management Vlan


The second approach seems more viable as a secure solution, however I am 
having difficulty documenting the vulerabilities of the first scenerio.

Larry Shields
Internetwork Project Director
Total Network Solutions



Get Your Private, Free Email at http://www.hotmail.com
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to