Re: DMZ - the physical layer

[Bennett Todd <bet () rahul net>]

2000-03-13-12:57:54 Aaron D. Turner:
> Not sure if it is still true, but Bay Swiches used to have a
> problem enforcing VLAN's when two ports had the same client MAC
> (as often is the case of Sun's).
>
> This can be a major security problem.  Cisco I know doesn't have
> this problem, but most security people will argue against using
> VLAN's for security.  Most peole recommend different physical
> switches.

Ciscos have had troubles with packet leakage in strange
circumstances as well; I seem to recall something about being able
to unilaterally turn your switch port into an ISL port or something
like that.

I've checked this opinion with a techie at a major switch vendor,
and they enthusiastically liked my statement: VLANs are a
performance optimization, designed to help decrease the size of a
broadcast domain to a fraction of a switch. They are intended to
help improve flexibility, allowing the user to have multiple
isolated broadcast domains in a single physical switch; with the
high early price-per-port of switches, and the limited numbers of
distinct sizes (e.g. 8-port, 12-port, 16-port, 32-port), being able
to carve a larger switch up into VLANs was a big help for customers
pricing reasonable configs, while trying to keep their traffic
organized for performance reasons. But VLANs were always and solely
a performance hack. Leaking packets between isn't a design failure
of a VLAN unless the leakage consists of enough packets to have a
performance impact. For security barriers, use separate boxes, or
boxes like routers that are designed to make guarantees about
packets only going to the right place.

-Bennett

Attachment: _bin
Description: