>From a pure security perspective, this design is not as secure as
having separate switches for the outside, dmz and inside networks.
The reasoning is very simple, yes, you can put lots of software in
place to prevent people from telneting to the switch, but in the
event of just the right failure/misconfiguration, someone could
theoretically re-configure the switch to do bad things.
I have had long discussions with people about this issue and the
bottom line is that while a compromise in this configuration is
highly improbable, it is not impossible. When you have physical
separation of switches, it is impossible for a software
failure/misconfiguration in the switch to lead to an internal
compromise, it is therefore a more secure configuration to use
multiple switches.
It is, however, very convenient to use a single switch. As a
compromise, I recommend a single external switch and a common
internal switch for the dmz's and internal segments. As there are
normally very few connections on the outside, this is a reasonable
compromise at a very small incremental cost.
HTH,
Kent
On 8 May 2001, at 15:42, [EMAIL PROTECTED] wrote:
> Let me lay out the basic topology of a network first:
>
> A 6500 has several VLANS configured on it. Among these are an
> external internet vlan, a dmz, and several internal vlans. The
> internal vlans are routed by an MSFC in the 6500. Routing between the
> internal, dmz, and external are handled by a firewall external to the
> 6500.
>
> Are there any security issues with having all of these VLANS in the
> same box? Someone in our organization is concerned that someone can
> hack the switch just because the connection from the internet is
> plugged into it. The switch's management address is on one of the
> internal vlans, and an access list is on the telnet access that
> restricts access from only the internal vlans.
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html Report misconduct and
> Nondisclosure violations to [EMAIL PROTECTED]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3698&t=3666
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]