I was thinking that each supplier to have his/her VLAN. Therefore, on the
switch, there could be 10 VLANs. I then use one of the switch port to
connect to the DMZ interface on the firewall. I also have 10 IP addresses
bound to the DMZ interface card. Each supplier's VLAN is bound to their
respective IP address on the DMZ interface. Would it work?
Any comments/suggestions are greatly appreciated.
Thanks and have a quality weekend.
Ivan
----- Original Message -----
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, October 22, 1999 12:47 PM
Subject: Re: VLAN - a semi-firewall related question
> >Option 2:
> >A smarter approach, one says. Have an intelligent switch connecting to a
> >NIC in the firewall. Each port of the switch is isolated, a VLAN
approach.
> >Competitive suppliers cannot "peer" into each other's data.
> >
> >Being a non-router/switch guy. How can I configure and secure the
switch?
> >I have also heard a router guru mentioned that, in order to provide
> >security, we should not use intelligent switch as someone connect to the
> >console of a switch, he/she can sniff the packets.
>
> You could purchase a switch with IP routing functionality (e.g. Cisco
Catalyst
> with RSM module, other vendors have comparable offerings I'm sure). Create
one
> network (VLAN) for each of your suppliers, using unique and separate
network
> numbers. Route each VLAN to your firewall's external interface. Configure
access
> lists on the switch/router such that one VLAN cannot talk to another; the
only
> permissible communications should be between each VLAN and the firewall's
> exterior interface.
>
> When you say "intelligent switch" I assume you mean a switch with some
> IP-addressed supervisor functionality. Those functions can usually be
disabled
> or access-control restricted. It's a risk, but an extremely minor one at
best.
>
> One important question you should ask: to what extent are *you*
responsible for
> your suppliers' security? Is there a contractual agreement, or are you
just
> trying to be a nice guy? At any rate, your suppliers' should be taking
their own
> security measures at their end, with their own firewalls and routers and
access
> lists. If your supplier doesn't even take their own security seriously,
what
> leads you to believe that they care about yours?
>
> Regards,
>
> Christopher Zarcone
> Network Security Consultant
> RPM Consulting, Inc.
> #include <std.disclaimer.h>
> My opinions are completely my own and based on no useful knowledge
whatsoever,
> and in fact should not be considered by anyone.
>
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
