On 14 Feb 2002, at 9:03, [EMAIL PROTECTED] wrote: > the problem in the switch OS (problem of configuration, new vulnerability > on switch OS, ...) > => DMZ without security !! > (Esxuse my english)
Maybe your questions are: 1. If I use a switch in my DMZ, is it okay to allow external in-band access to the switch's management interface? Uh, no, for the very reason you mention above. Some may prefer, in a DMZ, to use a switch which has no visible OS or management interface. 2. Is it okay to use a VLAN to implement my DMZ, sharing the switch hardware with my trusted network? Also no, for two basic reasons: (a) The VLAN feature is not intended as a security barrier; it may be subject to compromise. (b) A large switch with VLANs is often more expensive than two smaller switches. VLANs are of limited utility unless you are also trunking together multiple switches, in which case they allow you to define a logical division into subnets that is independent of your physical distribution across switches. But in the case of the DMZ, the logical and physical partitioning of the network really ought to match. DG _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
