Paul, It is generally undesirable to have a single point of compromise in any security architecture. In theory, your switch (which holds together your perimeter firewall & DMZ networks) is a single point of compromise. But from a practical perspective, I wouldn't be too concerned with this architecture. I have often seen sites with merged "exterior" and "interior" routers, for example, and I can think of several highly-regarded texts (Chapman's Building Internet Firewalls comes to mind) that endorse such architectures. Routers are generally robust from a security perspective; at the very least, far more robust than a multipurpose OS. With a switch, you probably have even LESS to worry about than a merged exterior/interior router. Switches don't have any layer 3 functionality (supervisor modules and routing modules excepted, of course), which renders all of your IP-based attacks irrelevant. It is pretty difficult to compromise a switch without direct physical access. Moreover, if we make the assumption that your switch is operating correctly, I don't see what the Vlan security issues would be. Frames from one Vlan should never EVER be switched to a different Vlan. I suppose it's possible for your switch to suffer some bizarre form of electromigration, or perhaps a rare bug in the software or a fault in the switch fabric will manifest itself. These scenarios are extremely improbable, to say the least. I'm not saying it can't happen, but I've never personally seen it. My biggest concern for merged architectures are operational in nature. I would be much more worried about a misconfiguration or wiring snafu on the switch (perhaps resulting in your firewall being bypassed) than The Hacker From Around The World breaking into it. And if none of this makes you feel better, consider adding a second set of firewalls to protect your interior routers, or put some ACLs on them. In that configuration, even if THFATW can compromise your switch and all its trimmings, they still have some more security to deal with. My $0.02 worth... Regards, Christopher Zarcone Network Security Consultant RPM Consulting, Inc. #include <std.disclaimer.h> My opinions are completely my own and based on no useful knowledge whatsoever, and in fact should not be considered by anyone. >Date: Tue, 20 Jul 1999 18:20:30 +1000 >From: "btsec" <[EMAIL PROTECTED]> >Subject: Using VLAN's in Firewall topologies > >Recently I have come across firewall design topologies involving switches >(eg Catalyst 5000) which are implementing VLANS. > >For example (View with Courier Font): > >Internet----Router1-----Switch1---Router3--Internal Network > | >Internet----Router2-----Switch2---Router4--Internal Network > >Where the Switch is configured such that there are a number of VLANS, >with different subnets comprising of a Firewall and a DMZ for example. >So logically it could look like the below > >Internet----Routers----Firewall---web servers---Routers----Internal Network > >I personally am a bit concerned about using Switches (VLANS) >in such a design. I haven't seen too many security designs involving them. > >Any comments on using switches for such purposes? > >A few thoughts- >Pros - less hardware (hubs and interconnects via trunking) > - switch faster than hub > - less chance of snooping > >Cons - No physical separation of outside and DMZ > - security issues with VLANs, ISL trunking? > >Thanks > >Paul Therkelsen - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
