Firewall Wizards mailing list archives
Using VLAN's in Firewall topologies
From: "btsec" <btsec () magna com au>
Date: Tue, 20 Jul 1999 18:20:30 +1000
Recently I have come across firewall design topologies involving switches
(eg Catalyst 5000) which are implementing VLANS.
For example (View with Courier Font):
Internet----Router1-----Switch1---Router3--Internal Network
|
Internet----Router2-----Switch2---Router4--Internal Network
Where the Switch is configured such that there are a number of VLANS,
with different subnets comprising of a Firewall and a DMZ for example.
So logically it could look like the below
Internet----Routers----Firewall---web servers---Routers----Internal Network
I personally am a bit concerned about using Switches (VLANS)
in such a design. I haven't seen too many security designs involving them.
Any comments on using switches for such purposes?
A few thoughts-
Pros - less hardware (hubs and interconnects via trunking)
- switch faster than hub
- less chance of snooping
Cons - No physical separation of outside and DMZ
- security issues with VLANs, ISL trunking?
Thanks
Paul Therkelsen
Current thread:
- Using VLAN's in Firewall topologies btsec (Jul 20)
- Re: Using VLAN's in Firewall topologies Ge' Weijers (Jul 21)
- Re: Using VLAN's in Firewall topologies Kevin Steves (Jul 26)
- <Possible follow-ups>
- Re:Using VLAN's in Firewall topologies Dallas N Bishoff (Jul 21)
- Re: Using VLAN's in Firewall topologies CarlosCapmany Francoy (Jul 23)
- Re: Using VLAN's in Firewall topologies Ivan Arce (Jul 27)
- Re: Using VLAN's in Firewall topologies Jan B. Koum (Jul 29)
- Re: Using VLAN's in Firewall topologies Ivan Arce (Jul 27)