Firewall Wizards mailing list archives
Re: switches in a fw environment
From: Mark Coleman <mcoleman () borg pulsenet com>
Date: Wed, 01 Jul 1998 15:22:40 -0400
Gerhard Mezger wrote:
How do you feel about the usage of switches interconnecting different security domains? To illustrate my question let's take a look at a very
Hi. Long time listener, first time caller. Here is my 2 cents: I looked into the VLAN issue because a customer wanted to create a small VLAN in a Xyplex switch to contain his DMZ. My opinion was this: the Xyplex is managed via IP and this puts you at the mercy of trusting the switch manufacturer's code to prevent someone from getting in and joining up the VLANs thus bypassing the firewall altogether. Not just via management but also through back doors and manufacturer-specific exploits in the operating code. (Remember those default passwords in the ROMs of the other vendors switches?) My opinion: don't do it. Also remember that it is known that you can get around the layer 2 segragation by flooding a switch's tables forcing it into a "forwarding mode" that starts passing all data everywhere. Just get an independant switch or a standalone hub for your DMZ. -Mark Coleman -Network Access Corporation -------------------------------------- (Original message follows) ow do you feel about the usage of switches interconnecting different security domains? To illustrate my question let's take a look at a very simplified Internet connection: PR ----------- Firewall --------- internal net (S) ! ! WEB PR=Provider Router; WEB=Webserver in DMZ; S=System in the internal net (running critical appliacations). Internet users are only allowed to access the Webserver; access from the internal net to the Internet is very restricted. So far the logical layout. Letns now look at a possible physical implementation using VLANs: Firewall ! ! ! vlans 1 2 3 +---------+ PR---------- ! Switch !-----------S vlan1 +---------+ vlan3 ! vlan2 ! ! WEB I am not sure about the security risk imposed by a central switch especially because the management of the switch will be done over a (separate) VLAN. I am searching for arguments to become either more comfortable with this solution or to have strong technical arguments against it. Your input is highly appreciated Gerhard (end quote)
Current thread:
- Re: switches in a fw environment Mark Coleman (Jul 02)
- Re: switches in a fw environment Gerhard Mezger (Jul 02)
- <Possible follow-ups>
- Re: switches in a fw environment Bennett Todd (Jul 07)