RE: DMZ - the physical layer

[Carl Friedberg <friedberg () exs esb com>]

The use of VLAN's at the border doesn't make sense to me, but I've never had
the situation come up. The first thought to cross my mind: this
configuration (multiple separate LANS off a firewall, e.g. a web (DMZ) net;
a business-partner's net, and the variou corporate nets; couldn't pass a
serious security audit without physically separate wiring. That's just my
off-the-top-of-the-head assessment, but I wouldn't propose this. VLANs are
fine for performance optimizations, but I wouldn't suggest using them for
securing a perimeter. Just my 2 cents.

I'm not familiar with NetGear; I wouldn't try it with Cabletron (formerly
DEC) or HP ProCurves; but those are pretty cheap (24 ports around $1,200 or
so)

Carl () comets com

-----Original Message-----
From: fernando_montenegro () hp com [mailto:fernando_montenegro () hp com]
Subject: RE: [fw-wiz] DMZ - the physical layer


> 1) Using separate hubs/switches for each subnet in your firewall LANs:
>
> Cons - Adds complexity to hardware needs, such as extra rack space, extra
power  
> outlets, ...
seems pretty minor
>     - Makes changes to a LAN (such as adding servers to the web farm)
harder
I don't see it as being much harder if you plan for some expansion on your
switches
>     - Makes a more resilient (not HA) configuration harder: more
individual  
> components to duplicate
well, with meshing/spanning tree, etc., I'm not sure I buy that either