-----BEGIN PGP SIGNED MESSAGE-----
On Wed, 4 Apr 2001, Jarmoc, Jeff wrote:
> I've got a question in regards to running a DMZ on the same physical
> switches as my internal network, but segmented by VLAN. Currently, I've got
> several 10/100 switches on my backbone, so my DMZ is physically seperated.
> However, we're looking at upgrading to a gigabit backbone. Obviously,
> gigabit switches are still somewhat pricey, and our DMZ is really only about
> 6 servers. Soooo, the idea came to me to use VLANs to isolate the DMZ and
> internal networks on the same physical switch.
> Does anyone have any experience with this, or opinions on how it
> would impact security or performance? The gigabit switch I'm looking at is
> also capable of Layer 3 switching, but obviously any layer 3 traffic between
> these two VLANS would have to go through the firewall, I'll need to make
> sure I can specify that in the switch's software. Recommendations of
> quality gigabit switches that can support up to 24 gig ports, and 48 100 meg
> ports would also be appreciated, but that's not really the point of my
> message.
>
> Thanks in advance for the wonderful insights.
My opinion on this is: Don't rely on VLANs for security.
In Building Internet Firewalls, Ed 2, page 101 we say,
... VLANs are a convenient tool in many situations, and they provide a
small measure of increased security over a plain switched network.
However, you are still running all of the traffic through a single
device, which could be compromised. There are known attacks that will
move traffic from one VLAN to another in most implementations, and almost
any administrative error will compromise the separation. You should not
rely on VLANs to provide strong, secure separation between networks.
In addition, using a VLAN to separate your DMZ and Internal network and
having a firewall to route IP traffic is logically equivalent to having an
architecture with two interior routers. We also recommend against this type
of architecture!
I think you may want to re-evaluate why you need gigabit networking in
your DMZ. Where is most of your traffic coming from/going to? Last time
I looked a decent, but cheap, unmanaged 8 port 100MB switch cost less than
$300.
Simon Cooper.
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv
iQCVAwUBOtJcuaMJNhVXoGShAQGUDAP9HlHxqps/IMQcfafkmIFvm2/qgd7v6NBr
h12Fit3ZC+0hQhUfmFrQkUyF2yWvO1FtyBjOt4UDA2NkeSI+sup5pogFI1PfdAWV
PaF67EXr+aejO7Zli6c5oLNGhgVP+D1I2IA6+Pif/aGbA113JRzi7urBfo3UbHqm
J2xEdHa/SpE=
=x0Jy
-----END PGP SIGNATURE-----
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
