Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: firewall-wizards digest, Vol 1 #1229 - 18 msgs

From: Bill Van Emburg <bve () quadrix com>
Date: Sun, 07 Mar 2004 12:15:13 -0500

On Tue, 2 Mar 2004, Dale W. Carder wrote:


Date: Tue, 02 Mar 2004 14:22:40 -0600
From: Dale W. Carder <dwcarder () doit wisc edu>
To: Shimon Silberschlag <shimons () bll co il>
Cc: firewall-wizards () honor icsalabs com,
    David Lang <david.lang () digitalinsight com>
Subject: Re: [fw-wiz] Multiple small switches vs. a single big one;
   Granularity of control

On Feb 29, 2004, at 8:48 AM, Shimon Silberschlag wrote:


When designing a new internet architecture, we are debating the use of
either a physical switch per segment, as was traditionally recommended
by
the majority of readers on this list, and using a big switch combined
with
an on-switch FW that controls traffic down to a port granularity (e.g.
the
Cisco FWSM enclosed in the 6500 switch).


I personally believe that the idea of separating vlans onto separate
switches
is fueled by paranoia and inferior switch architectures.  Separating
vlans
onto their own switches does not scale.  If it does for your
environment, I
envy you :-)

There are economies of scale in having bigger switches with more vlans,
and trunking between them.  The 6500 series switches and competing
products are marketed towards that idea.



I agree that this is the marketing claim. the definition of what 'scales'
varies depending on what you are trying to do.
I, personally, am a very big fan of separate physical switches per segment. Not only is it cheaper in most scenarios, but it's harder to screw up the configs (i.e., better manageability), practically impossible to have an outage of your whole network (i.e., hardware separation and no single points of failure ... if you're careful!), protects you against the *next* bug to be found in your switch vendor's VLAN software (because ALL CODE HAS BUGS ... security 101, right?), is easier to maintain (how many spare 6500s do you have in *your* infrastructure?), and allows for easy separation of control (do *you* have a good way to have separate VLANs administered by different sysadms?).
I'm NOT saying that you *always* have to have *every* segment on its own physical switch. Security is always a business decision, and sometimes the tradeoffs make sense. However, I think VLANs are heavily overused, especially in a company's Internet-facing infrastructure design. From a security perspective, you should physically isolate segments with different levels of security tolerance, whenever possible. For segments with similar security tolerance, you might decide that there are advantages in your scenario, although I'll still argue that my points above are valid in most of the scenarios I've seen.
In particular, if your infrastructure is small, it almost never pays to go with a huge switch.... (just my $0.035 -- I never give just $0.02! ;-) 
--

                                     -- Bill Van Emburg
                                        Quadrix Solutions, Inc.
Phone: 732-742-0475                     (mailto:bve () quadrix com)
Fax:   309-404-7749                     (http://quadrix.com)
                The eBusiness Solutions Company

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: