On Fri, 22 Oct 1999, Ivan Fox wrote:
> I was thinking that each supplier to have his/her VLAN. Therefore, on the
> switch, there could be 10 VLANs. I then use one of the switch port to
> connect to the DMZ interface on the firewall. I also have 10 IP addresses
> bound to the DMZ interface card. Each supplier's VLAN is bound to their
> respective IP address on the DMZ interface. Would it work?
Depends on the switch implementation (and configuration) and if the supplier
has access to layer 2 from their connection. At least in the past, some
switches had limited space for MAC addresses, so it was possible to fill
that table and make the switch broadcast every packet like a hub, at that
point if you've got access to layer 2, you can sniff at will.
VLANs aren't security-enablers, and may not be designed to protect
against hostile interfaces, they're broadcast domain controlers, trying
to use them outside of that scope is putting a *lot* of trust in
something that wasn't designed for trust IMO.
> Any comments/suggestions are greatly appreciated.
Router ports are more expensive, but better for enablers. Especially if
you control the router. If they're leased lines, multi-port serial cards
work really well.
I'd have a problem with anyone having layer 2 access to the firewall's NICs
too, so seperate interface cards aren't good for the firewall unless you
have a very high degree of trust in the implementation.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
