1999-10-22-20:11:06 Ivan Fox:
> I was thinking that each supplier to have his/her VLAN. Therefore, on the
> switch, there could be 10 VLANs. I then use one of the switch port to
> connect to the DMZ interface on the firewall. I also have 10 IP addresses
> bound to the DMZ interface card. Each supplier's VLAN is bound to their
> respective IP address on the DMZ interface. Would it work?
Sure, it would work. As the cost of switch ports has plummeted compared to the
cost of router ports, doing this sort of trick has gotten very popular.
And the topic naturally pops up all the time on the firewalls mailing list.
At the moment, the consensus seems to remain that switches are designed to
be high-performance hubs, not routing devices or security barriers, and
for switches, failing to pass traffic from one port to another is simply a
performance optimization --- as long as they do it most of the time, in most
circumstances, they get the performance win --- and not part of the job
description.
Various ways of using switches and vlans as security barriers are periodically
proposed; people then point out various problems that have shown up in
practice. E.g., within a vlan, all you have to do is flood out the cam table;
from vlan to vlan switches sometimes have bugs in trunking code that allow
attacks; switch supervisor modules have had security problems in the past,
just like routers, but unlike routers the security problems weren't fixed as
rapidly or taken as seriously by vendors; etc.
This is probably changing as time goes by. Switches are definitely becoming
smarter, and as they get more mature I expect the answer to this question
may change. But until vendors take switch security seriously, and treat
circumstances that can leak packets from one port to another as security
problems, I won't advocate using switches as security barriers. At the moment
vendors think of switches as high-performance hubs, and that's what we should
do as well.
-Bennett
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
