On Wed, 4 Apr 2001, Jarmoc, Jeff wrote:
> I've got a question in regards to running a DMZ on the same physical
> switches as my internal network, but segmented by VLAN. Currently, I've got
> several 10/100 switches on my backbone, so my DMZ is physically seperated.
> However, we're looking at upgrading to a gigabit backbone. Obviously,
> gigabit switches are still somewhat pricey, and our DMZ is really only about
> 6 servers. Soooo, the idea came to me to use VLANs to isolate the DMZ and
> internal networks on the same physical switch.
You've got 10/100 switches, and aren't likely to have more than 100Mb of
Internet bandwidth- why not just use one or two of those switches for your
DMZ and not flirt with danger?
> Does anyone have any experience with this, or opinions on how it
> would impact security or performance? The gigabit switch I'm looking at is
> also capable of Layer 3 switching, but obviously any layer 3 traffic between
> these two VLANS would have to go through the firewall, I'll need to make
> sure I can specify that in the switch's software. Recommendations of
> quality gigabit switches that can support up to 24 gig ports, and 48 100 meg
> ports would also be appreciated, but that's not really the point of my
> message.
1) Sharing layer 1 is bad- misconfiguration, bugs or odd protocols can
negate anything at a higher layer.
2) Sharing layer 2 is bad- misconfiguration, bugs or odd protocols can
negate anything higher.
VLANs were meant to solve collision domain problems and broadcast domain
problems, not security problems. While vendors have backfilled security
when it's been pointed out how poor it was, nothing gives any level of
certainty that such things will continue to happen, or that there aren't
things they've missed.
Also, a hardware issue that locks the switch kills your entire network.
Putting all your eggs in a single basket is never a good thing, no matter
how wide the basket.
Take one or two of your old internal switches and route out through your
firewall to the DMZ, upgrade your backbone and live with more assurance
that a configuration, bug or "feature" in the networking layer won't give
an attacker your entire network.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
