Hello,
[EMAIL PROTECTED] wrote: > 2. Is it okay to use a VLAN to implement my DMZ, sharing the switch > hardware with my trusted network? > Also no, for two basic reasons: > (a) The VLAN feature is not intended as a security barrier; it may be > subject to compromise. Care to elaborate on that, especially wrt Cisco switches ? I've seen this argument every now and then, but usually unsubstantiated. To the contrary, aside of broadcast domain (and thus fault) isolation Security is probably the most prominent argument listed in switching vendor literature wrt VLANs (which of course doesn't imply the existence of actual security in the first place, but sheds some light on its developer's design goals (aka what VLANs are "intended" as). > (b) A large switch with VLANs is often more expensive than two > smaller switches. VLANs are of limited utility unless you are also > trunking together multiple switches, in which case they allow you to > define a logical division into subnets that is independent of your > physical distribution across switches. > But in the case of the DMZ, the logical and physical partitioning > of the network really ought to match. Given a number of other constraints, this may or may not be correct. If this guy has a good reason to want his DMZ to be a VLAN on a Switch cluster, it should be possible to implement it safely, given appropriate switching technology and well thought configuration. Regards Christoph Weber-Fahr _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
