If you look at all of Cisco's documentation on their website it
recommends you use VLANs just like this. They even did a study with
Microsoft and posted it on Microsoft's website suggesting to use VLANS
to distinguish between outside, dmz, and internal networks. I have seen
many big companies do it this way. For example, last month Cisco had
Exciter's network diagram on its site, saying how they used VLANS, they
also had an Oracle example. I have set up quite a bit of co locations
using only a 5500 with 3 VLANs, one for the outside, one for the inside,
and one for the DMZ. I don't see how a hacker can break into a different
VLAN from the outside. Switches see VLANs as logical switches inside of
it. If a hacker wants to get to the internal VLAN from the Outside he
would have to go through the firewall. If Cisco recommends and companies
like Microsoft and Excite are implementing it, I don't see how it can be
a security risk. See this link for a really good document on setting up
a e-commerce co-location network, it also has router and pix configs
http://www.microsoft.com/TechNet/ecommerce/ciscomef.asp
-----Original Message-----
From: Carroll Kong [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, May 08, 2001 1:44 PM
To: [EMAIL PROTECTED]
Subject: Re: security opinions please [7:3666]
At 03:42 PM 5/8/01 -0400, [EMAIL PROTECTED] wrote:
>Let me lay out the basic topology of a network first:
>
>A 6500 has several VLANS configured on it. Among these are an external
>internet vlan, a dmz, and several internal vlans. The internal vlans
are
>routed by an MSFC in the 6500. Routing between the internal, dmz, and
>external are handled by a firewall external to the 6500.
>
>Are there any security issues with having all of these VLANS in the
same
>box? Someone in our organization is concerned that someone can hack
the
>switch just because the connection from the internet is plugged into
it.
>The switch's management address is on one of the internal vlans, and an
>access list is on the telnet access that restricts access from only the
>internal vlans.
Oh boy, the big security button. IF you really want to be secure, you
are
NOT going to be using VLANs at all. You want hard, cold, old fashioned
separate layer 2 networks, by HARDWARE. However, realize security is
really a layering process and hopefully warding off attackers of a
particular experience level by making the task seem like "too much
trouble", or "beyond their ability." A true pro can penetrate "VLAN"
based
security. A novice and probably most intermediates, will not. You
decide
and weigh out your costs in choosing the far less flexible hard switches
on
the side method, or using the far more flexible Catalyst VLAN style.
That is the security cost analysis you must do. i.e. If you are
guarding
the Fort Knox of the computer realm, I'd probably go hardcore. If you
are
not, you may want to stick with VLANs. Security is always a balance
between convenience and security. :( The sad truth is, the ultimate
security is, the wire cutters. (and perhaps a Faraday Cage if wireless
takes off). :)
-Carroll Kong
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3697&t=3666
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
