This questions pertains to the thread of discussions stemming from Ivan
Fox's "VLAN - a semi-firewall related question" posted in October 1999.
In traditional security architecture, I believe it can be considered common
knowledge to physically separate the externally security domain from the
internal security domain with the only connectivity being some form of
gateway or firewall.
However, I am frequently encountering clients who construct this
implementation by connecting the firewall to an intelligent switch where
the two domains are configured as separate VLANs. When I advise them that
they should re-architecture the connectivity so that in-bound Internet
traffic is on a separate switch from the firewall protected DMZ, I am often
challenged to produce published evidence that this would be "best practice."
My advice stems from sharing the same viewpoints so clearly expressed by
Paul Robertson
(http://lists.gnac.net/firewalls/mhonarc/firewalls.199910/msg00530.html)
and Bennett Todd
(http://lists.gnac.net/firewalls/mhonarc/firewalls.199910/msg00537.html)
but these "documents" represent individual viewpoints and it is difficult
for me to show that these viewpoints reflect best practice. To accomplish
this, I like to point to published statements from one or more well
regarded information security books, journals, or magazines. I've been
searching but have been unable to find such material. If anyone know of
any I would greatly appreciate the references.
Marc Mandel
[EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
