I dislike seeing a single VLAN switch used for VLANS on different firewall interfaces - if the switch admin screws up the firewall is bypassed. When that happens you get the excuse "but the hosts don't see the spill over since they are on a different subnet anyway". Just doesn't give me that warm fuzzy secure feeling.
Adam ----- Original Message ----- From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, February 14, 2002 4:04 PM Subject: Antwort: Re: R�f . : Re : DMZ with switch > > Hello, > > > > [EMAIL PROTECTED] wrote: > > 2. Is it okay to use a VLAN to implement my DMZ, sharing the switch > > hardware with my trusted network? > > > Also no, for two basic reasons: > > > (a) The VLAN feature is not intended as a security barrier; it may be > > subject to compromise. > > Care to elaborate on that, especially wrt Cisco switches ? I've seen > this argument every now and then, but usually unsubstantiated. > > To the contrary, aside of broadcast domain (and thus fault) isolation > Security is probably the most prominent argument listed in switching > vendor literature wrt VLANs (which of course doesn't imply > the existence of actual security in the first place, but sheds some > light on its developer's design goals (aka what VLANs are > "intended" as). > > > (b) A large switch with VLANs is often more expensive than two > > smaller switches. VLANs are of limited utility unless you are also > > trunking together multiple switches, in which case they allow you to > > define a logical division into subnets that is independent of your > > physical distribution across switches. > > But in the case of the DMZ, the logical and physical partitioning > > of the network really ought to match. > > Given a number of other constraints, this may or may not be correct. > > If this guy has a good reason to want his DMZ to be a VLAN on a > Switch cluster, it should be possible to implement it safely, given > appropriate switching technology and well thought configuration. > > Regards > > Christoph Weber-Fahr > > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls > _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
