Firewall Wizards mailing list archives
Re: firewall-wizards digest, Vol 1 #1229 - 18 msgs
From: Bill Van Emburg <bve () quadrix com>
Date: Sun, 07 Mar 2004 12:15:13 -0500
On Tue, 2 Mar 2004, Dale W. Carder wrote:Date: Tue, 02 Mar 2004 14:22:40 -0600 From: Dale W. Carder <dwcarder () doit wisc edu> To: Shimon Silberschlag <shimons () bll co il> Cc: firewall-wizards () honor icsalabs com, David Lang <david.lang () digitalinsight com> Subject: Re: [fw-wiz] Multiple small switches vs. a single big one; Granularity of control On Feb 29, 2004, at 8:48 AM, Shimon Silberschlag wrote:When designing a new internet architecture, we are debating the use of either a physical switch per segment, as was traditionally recommended by the majority of readers on this list, and using a big switch combined with an on-switch FW that controls traffic down to a port granularity (e.g. the Cisco FWSM enclosed in the 6500 switch).I personally believe that the idea of separating vlans onto separate switches is fueled by paranoia and inferior switch architectures. Separating vlans onto their own switches does not scale. If it does for your environment, I envy you :-) There are economies of scale in having bigger switches with more vlans, and trunking between them. The 6500 series switches and competing products are marketed towards that idea.I agree that this is the marketing claim. the definition of what 'scales' varies depending on what you are trying to do.
I, personally, am a very big fan of separate physical switches per segment. Not only is it cheaper in most scenarios, but it's harder to screw up the configs (i.e., better manageability), practically impossible to have an outage of your whole network (i.e., hardware separation and no single points of failure ... if you're careful!), protects you against the *next* bug to be found in your switch vendor's VLAN software (because ALL CODE HAS BUGS ... security 101, right?), is easier to maintain (how many spare 6500s do you have in *your* infrastructure?), and allows for easy separation of control (do *you* have a good way to have separate VLANs administered by different sysadms?).
I'm NOT saying that you *always* have to have *every* segment on its own physical switch. Security is always a business decision, and sometimes the tradeoffs make sense. However, I think VLANs are heavily overused, especially in a company's Internet-facing infrastructure design. From a security perspective, you should physically isolate segments with different levels of security tolerance, whenever possible. For segments with similar security tolerance, you might decide that there are advantages in your scenario, although I'll still argue that my points above are valid in most of the scenarios I've seen.
In particular, if your infrastructure is small, it almost never pays to go with a huge switch.... (just my $0.035 -- I never give just $0.02! ;-)
-- -- Bill Van Emburg Quadrix Solutions, Inc. Phone: 732-742-0475 (mailto:bve () quadrix com) Fax: 309-404-7749 (http://quadrix.com) The eBusiness Solutions Company _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: firewall-wizards digest, Vol 1 #1229 - 18 msgs Bill Van Emburg (Mar 09)
- Re: Re: firewall-wizards digest, Vol 1 #1229 - 18 msgs Dale W. Carder (Mar 11)