Note: Cisco's new-fangled private VLAN stuff may change this picture, but....
some years ago, I bounced the question off a cisco engineer, and he strongly agreed with this statement: VLANs were divised when switch ports were exceedingly expensive, and sold in units of 16 or more. At that point in time, allowing customers to partition the switch to service multiple different LANS made it much, much easier to approach 100.00% utilization of the switch ports. They were not designed as security barriers. They were designed as performance enhancements. As long as traffic doesn't cross from VLAN to VLAN in the average case, occasional leaks don't hurt anything. They were never designed nor implemented as security barriers. Now that said, it may still be reasonable for a DMZ to be a VLAN on a switch with other VLANs. The other VLANs just need to have comparable security profiles. E.g. perhaps multiple distinct DMZs could share a switch, if all the hosts on them were comparably hardened, and all the ingress/egress filtering and other external screening were being done on a router outside that switch. The key to the analysis is to draw your picture, then ask the question "what harm could be done if an attacker could force the switch to leak traffic, or to allow specific injected traffic, from one VLAN to another". If the answer is, no problem, then go ahead and share switches. -Bennett
msg04772/pgp00000.pgp
Description: PGP signature
