Security Basics mailing list archives
RE: Layer 2 Switches
From: "David Gillett" <gillettdavid () fhda edu>
Date: Fri, 1 Oct 2004 08:26:00 -0700
That's a defensible choice, but not the most important one. The crucial thing is to get a switch small enough that you don't mind putting *just* the DMZ on it. With a larger or fancier switch, there may be pressure to split it up with VLANs and put some non-DMZ devices on it. Inter-VLAN security has often been found to be less than robust on models from a variety of manufacturers. If there's a trusted VLAN on this switch, there's a risk that an attacker who gets into your DMZ can compromise the switch and use it to get to your trusted network. If all that's on the switch is the DMZ, all he can reach by compromising the switch is the DMZ -- and if he can reach the switch, he's already there. Yes, a managed switch may be subject to attacks that an unmanaged one would shrug off. But you can limit the potential for damage to the rest of your network, an so whether the switch is managed or not becomes a matter of choice. David Gillett
-----Original Message----- From: Andy Paton [mailto:andy.paton () gmail com] Sent: Thursday, September 30, 2004 1:03 PM To: security-basics () securityfocus com Subject: Layer 2 Switches Hi All I'm building a new network & firewall implementation with a DMZ. I need basic L2 switch functionality in the DMZ and between the firewall, should I avoid the more expensive switches with management? as they have more potential for bugs/holes etc.. Thoughts please, Andy
Current thread:
- Layer 2 Switches Andy Paton (Sep 30)
- RE: Layer 2 Switches David Gillett (Oct 04)
- RE: Layer 2 Switches Bryan S. Sampsel (Oct 05)
- RE: Layer 2 Switches David Gillett (Oct 04)