RE: Per application port DMZ segments?

["Paul D. Robertson" <paul () compuwar net>]

On Tue, 18 Jan 2005, Wes Noonan wrote:

> > On Tue, 18 Jan 2005, Wes Noonan wrote:
> > > 2) The well known issue of VLANs and VLAN hopping
> >
> > Implementation dependent.
>
> [WJN] Cisco shop, so we all know they have been susceptible in the past...

Sure, but at this point, I'd probably be more worried about a router
spanning multiple VLANs, especially in fail-over or dynamic routing
environments.

> > > 4) The requirement for entirely too many IP subnets in the DMZ
> >
> > Supernetting is your friend.
>
> [WJN] Hadn't considered that (mostly because I don't want to consider
> anything that enables this design), but that's a good idea if I get forced
> down this path...

Most people rarely do- I tend to have to fall back to it once every couple
of years to deal with a poor design choice or a nifty migration path
(depending on if the addressing scheme was my idea or not...)

> [WJN] I did!!! Unfortunately, they want more than just my "expert" opinion!!
> <g>

I'd be happy to bill an hour for a second opinion-  we could get that
whole "doctors making each other money" thing going on... ;)

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards