no...
> On 14 Feb 2002, at 9:03, [EMAIL PROTECTED] wrote: > >> the problem in the switch OS (problem of configuration, new >> vulnerability on switch OS, ...) >> => DMZ without security !! >> (Esxuse my english) > > Maybe your questions are: > > 1. If I use a switch in my DMZ, is it okay to allow external > in-band access to the switch's management interface? > > Uh, no, for the very reason you mention above. Some may prefer, > in a DMZ, to use a switch which has no visible OS or management > interface. > > 2. Is it okay to use a VLAN to implement my DMZ, sharing the > switch hardware with my trusted network? > > Also no, for two basic reasons: > > (a) The VLAN feature is not intended as a security barrier; it may > be subject to compromise. > > (b) A large switch with VLANs is often more expensive than two > smaller switches. VLANs are of limited utility unless you are > also trunking together multiple switches, in which case they allow > you to define a logical division into subnets that is independent > of your physical distribution across switches. > But in the case of the DMZ, the logical and physical partitioning > of the network really ought to match. > > DG > > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls _________________________________________________________________ http://fastmail.ca/ - Fast Secure Web Email for Canadians
