Security Basics mailing list archives
DMZ - VLAN Security
From: m.poultsakis () gmail com
Date: Mon, 28 Sep 2009 09:37:36 -0600
Hello to everyone, This is my first post here :-) I am currently investigating a DMZ deployment. The network infrastructure consists of one internal Switch (Summit 400), one Firewall and one (here is the problem...) Summit 400 switch that acts as the outside Switch as well as the DMZ Switch... So it looks like this: Other Internal Resources (ZoneA) | Internet-------Switch1-----Firewall-----Switch2 | ZoneA | (Internal) DMZ Even though VLAN segregation exists on Switch1 and InterVLAN routing needs to take place via the Firewall in order for an inbound request to access DMZ resources, the more I am looking at the scheme... the more I am getting concerned... A physical Switch sharing valuable resources with the untrusted interface seems like a weak point to me... I have made a research on Layer-2 attacks where an attacker can access another VLAN without the router/Firewall knowing anything about it but most of these resources age back in the late 90's beginning of 2000's... So, the reason I am creating this post is that I do not know if things have changed in this field (VLAN attacks) during the last years... are Layer-2 attacks against VLANs still possible? I am thinking of proposing a change in this deployment but I need to be sure first if threats really exist. The most obvious solution would be to dedicate a Firewall port to the outside (attacker) connection and implement VLAN separation on Switch1 for DMZ and ZoneB (adding another Switch is impossible unfortuantely...). What I need to mention here is that the netire configuration is "static" which means that no VTP, CDP etc is running in the network... Thank you all in advance for reading my post and (probably) of thinking of something that can help. Regards, Michail Poultsakis ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- DMZ - VLAN Security m . poultsakis (Sep 28)
- RE: DMZ - VLAN Security Dan Lynch (Sep 29)
- <Possible follow-ups>
- Re: DMZ - VLAN Security m . poultsakis (Sep 29)