On 10 Nov 2001, at 13:57, Bernd Eckenfels wrote: > I have a question concerned with VLAN (Trunk Ports). Do you made > some basic research on available VLAN Switches. Are those > implementations secure to single out virtual LANs, or are those > vulnerable to attacks? > > Instead of using a VLAN and a Trunk-able Firewall (one can do that > with a Linux Packet filter which is then connected to a "normal" > Firewall) another option is to use a switch in a secure mode where > ports are locked to communicate with a single point (i.e. Cisco > ones). I consider the later is older and proofed technology and it > does not need special support in the Firewall. (On the other hand, > I am not sure how good IP-Spoofing Protection on those switches > work).
I haven't had a chance to read the original article yet.... I have, however, been thinking that my DMZ servers don't really have much need to talk to each other, and ideally I'd really like them in a bunch of small DMZs, with DMZ-to-DMZ traffic mediated by the firewall. Rather than cram a bunch of ports onto the firewall, my preferred implementation would be to support trunking on the firewall's DMZ port, and hook it to the uplink/trunk of a small switch (a Cisco 19xx would probably be ideal for many cases) with every switch port in its own VLAN. I'm speculating from Bernd's comments above that David Cavuto's article may have proposed something similar. It's true that VLANs are not a terribly robust security barrier. Note, though, that in this scenario they are not being used to separate trusted network paths from untrusted paths, but to separate restricted semi-trusted (DMZ) paths from each other. An attacker who, having compromized one DMZ server, manages to also break the trunking, has only just gotten access to additional DMZ servers -- which in most sites, he would already have without that effort. It doesn't really get him much nearer penetrating the trusted network. Note, though, that this is completely orthogonal to whether a give port is locked to a given IP or MAC address. A switch may have all of its ports so locked, but all part of one big VLAN, in which case the ports are all free to converse with one another without any requirement to travely up the trunk to a router -- the firewall! -- which examines/logs/filters that traffic. > I consider the later is older and proofed technology and it does > not need special support in the Firewall. All very true, but it does nothing to effect the topology change we want, where a single large DMZ subnect becomes *instead* a bunch of small subnets with firewall filtering between them. DG _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
