Hi!
"Jarmoc, Jeff" schrieb:
> I've got a question in regards to running a DMZ on the same physical
> switches as my internal network, but segmented by VLAN. Currently, I've got
> several 10/100 switches on my backbone, so my DMZ is physically seperated.
> However, we're looking at upgrading to a gigabit backbone. Obviously,
> gigabit switches are still somewhat pricey, and our DMZ is really only about
> 6 servers. Soooo, the idea came to me to use VLANs to isolate the DMZ and
> internal networks on the same physical switch.
Unfortunately, we can't add much to the solution, but we thought about the
same scenario and perhaps can add some more questions :)
What we have are some concerns about using the same switch in two
DMZs. If the switch is hacked, the other DMZ can be accessed as well.
On the other hand using s switch to hack other hosts is not
very easy since most hacking scripts obviously don't work on
them since they don't run UNIX. Maybe someone can shed some light
on this ?
What we were also thinking about is to use one physical DMZ port
to connect to several DMZs via a VLAN switch. This might work as follows:
Route traffic to DMZ 1 and 2 to the same physical interface,
but to different gateways.
Those gateways are on the same VLAN switch and forward the traffic
to the corresponding hosts. Traffic between the DMZs is routed
via the firewall.
Are there any general problems with this scenario ?
Any security concerns except the already mentioned one about the
switch beeing a weak point ? Disabling telnet and accessing it
by physical console only is already included in our policy.
Thanks for and hint or pointers.
Walter
--
Fraunhofer-Einrichtung
Systeme der Kommunikationstechnik
Walter Zimmer Hansastraße 32
Dipl.-Inf. D-80686 München
Telefon: +49(0)89-547088-344
E-Mail: [EMAIL PROTECTED] Telefax: +49(0)89-547088-220
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
