RE: Layer 2 Switches

["David Gillett" <gillettdavid () fhda edu>]

  That's a defensible choice, but not the most important one.

  The crucial thing is to get a switch small enough that you
don't mind putting *just* the DMZ on it.  With a larger or 
fancier switch, there may be pressure to split it up with VLANs
and put some non-DMZ devices on it.

  Inter-VLAN security has often been found to be less than robust 
on models from a variety of manufacturers.  If there's a trusted
VLAN on this switch, there's a risk that an attacker who gets 
into your DMZ can compromise the switch and use it to get to your 
trusted network.
  If all that's on the switch is the DMZ, all he can reach by
compromising the switch is the DMZ -- and if he can reach the
switch, he's already there.

  Yes, a managed switch may be subject to attacks that an unmanaged
one would shrug off.  But you can limit the potential for damage to 
the rest of your network, an so whether the switch is managed or not
becomes a matter of choice.

David Gillett


> -----Original Message-----
> From: Andy Paton [mailto:andy.paton () gmail com]
> Sent: Thursday, September 30, 2004 1:03 PM
> To: security-basics () securityfocus com
> Subject: Layer 2 Switches
>
>
> Hi All
>
> I'm building a new network & firewall implementation with a DMZ.
>
> I need basic L2 switch functionality in the DMZ and between the
> firewall, should I avoid the more expensive switches with management?
> as they have more potential for bugs/holes etc..
>
>
> Thoughts please, 
> Andy