On Tue, 21 Nov 2000, David Loysen wrote:
> How about getting a good fast Ethernet switch, set yourself up with 40 - 50
> VLANs and then use a separate firewall box between switch and Internet. This
> should effectively isolate the subnets from each other and your firewall
> configuration is back to two interfaces.
"VLANs" and "effectively isolate" hasn't traditionally been true, and
probably will remain not true for several classes of thing. It also
creates a single point of failure/administrative bottleneck/downtime and
for at least one switch vendor, I've seen reports that you can miscraft a
cable that will DoS the entire switch- meaning that 51 switches or a
switch and 50 hubs are the lowest barrier, and still not necessarily
effective controls for isolation.
If you only have to run minimal services, 50 proxy servers and a real
firewall in front of them can work, but exceptions will kill you. 4 good
Sun boxes with QFEs and your favorite firewall product will work too, but
it can be no fun to adminsiter and again you get the central
administrative issue for cross-domain administration.
50 appliance-type firewalls isn't unreasonable if actual protection is
expected, and that's probably an architecture I'd explore if I had to do
something like that today. It has the advantage of being able to let each
piece of the business administer their own rules, and I'd put a horking
big "real" firewall between all of them and the Interent to enforce global
policy. Cost factor is probably 3x-4x the switch route, but the
protection factor is a lot better.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
