Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

DMZ - VLAN Security

From: m.poultsakis () gmail com
Date: Mon, 28 Sep 2009 09:37:36 -0600
Hello to everyone,

This is my first post here :-)

I am currently investigating a DMZ deployment. The network infrastructure consists of one internal Switch (Summit 400), 
one Firewall and one (here is the problem...) Summit 400 switch that acts as the outside Switch as well as the DMZ 
Switch...

So it looks like this: 



                Other
               Internal
              Resources
               (ZoneA)
                  |
Internet-------Switch1-----Firewall-----Switch2
                  |                      ZoneA
                  |                    (Internal)
                 DMZ
                

Even though VLAN segregation exists on Switch1 and InterVLAN routing needs to take place via the Firewall in order for 
an inbound request to access DMZ resources, the more I am looking at the scheme... the more I am getting concerned...

A physical Switch sharing valuable resources with the untrusted interface seems like a weak point to me... I have made 
a research on Layer-2 attacks where an attacker can access another VLAN without the router/Firewall knowing anything 
about it but most of these resources age back in the late 90's beginning of 2000's...

So, the reason I am creating this post is that I do not know if things have changed in this field (VLAN attacks) during 
the last years... are Layer-2 attacks against VLANs still possible?

I am thinking of proposing a change in this deployment but I need to be sure first if threats really exist. The most 
obvious solution would be to dedicate a Firewall port to the outside (attacker) connection and implement VLAN 
separation on Switch1 for DMZ and ZoneB (adding another Switch is impossible unfortuantely...).

What I need to mention here is that the netire configuration is "static" which means that no VTP, CDP etc is running in 
the network...


Thank you all in advance for reading my post and (probably) of thinking of something that can help.


Regards,

Michail Poultsakis

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: