Aha....some great reading here: http://www.sans.org/newlook/resources/IDFAQ/vlan.htm http://rr.sans.org/switchednet/switch_security.php http://online.securityfocus.com/archive/1/26008 http://security-archive.merton.ox.ac.uk/bugtraq-199909/0223.html http://lists.synfin.net/Archives/firewall-wizards/1998/Nov/msg00039.html (thread)
There does seem to be potential for "failing open" the switch in some cases, and possibly even messing with the 802.1q/ISL trunks/tags to jump VLANs. Anyone who manages to compromise the particular DMZ I'm working with will likely be sophisticated enough to at least *try* to mess with the VLAN security which means that our segmentation will only be as good as the IOS. This quote (paraphrased) pretty much told me what I wanted verification on: "VLANs are designed for traffic and bandwidth management, not security". Bottom line--I don't want to rely on the switch IOS for security. For $850 an additional switch is worth it. Thanks for all the responses! -Mike