On Fri, Apr 12, 2002 at 11:23:03PM +0200, Mikael Olsson wrote: > > > Jim MacLeod wrote: > > > > For many people using a VLAN to separate inside traffic from outside > > traffic is a very big security topic. ... > This is where I smiled and decided to call this a > safety feature rather than a problem.
Actually seperation of internal vs. external is anway not the most typical situation for VLANs. It is more often used to separate multiple Customer DMZs or even multiple Application DMZs from each other. Sure the separation should be reliable here, too. But the risk that someone would want to exploit it, is decreased. In addition to that, having separated switches for each application and each customer is much less possible to achieve (oposed to having an external red switch and an internal). I fully support the claim, that it is a major unwise decision to have untrusted internet and trusted/dmz networks on the same switch, separated by VLAN. The risk is just too high (unless vendors will produce special high security switches). BTW: sometmes VLAN is not needed, you can switch in secure mode, where all ports are only connected to a single upstream port, this is especially good for DMZs consiting of multiple customer single-box web server installations. Greetings Bernd _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
