Penetration Testing mailing list archives
Re: HP BL30's and VLAN's
From: Ricardo Oliveira <rmo-mlists () eurotux com>
Date: Thu, 03 Mar 2005 20:31:53 +0000
Merrick, Carl wrote:
I am not a pen tester and this is more of a theoretical question for the experts. We are in the process of installing HP BL30p blade servers which use the GBE2 integrated switch for network connectivity. One of the servers installed will be a web server which will run in the DMZ. Connectivity to the DMZ will be provided from the GBE2 to a port on the firewall via a VLAN. Other internal VLAN's will be running on the same GBE2 switch. The question is, how secure will this setup be? Is it possible to hack across VLANs on the same switch? My preferred configuration is to physically isolate web servers. Thanks. Carl
Carl,AFAIK, the integrated switches aggregate the 16 (8+8?) ports from the BL30p's in each enclosure into 4 (IIRC) ports. This is a purely aggregation process, disregarding isolation or performance (8 servers aggregated in 4 ports).
This means you won't get the same traffic separation you'd get in a regular switch - although you could isolate the servers with VLANs, I think it'd be easy to get through this isolation between all the servers connected in these GBE switches. All the "protection" you can get in a regular switch comes from the fact that the switch knows which ports/MAC addresses belong to each VLAN.
Regards, Ricardo Oliveira
Current thread:
- HP BL30's and VLAN's Merrick, Carl (Mar 03)
- Re: HP BL30's and VLAN's jkowall (Mar 03)
- Message not available
- Re: HP BL30's and VLAN's jkowall (Mar 04)
- Message not available
- Re: HP BL30's and VLAN's jkowall (Mar 03)
- Re: HP BL30's and VLAN's Ricardo Oliveira (Mar 03)
- RE: HP BL30's and VLAN's Jerry Shenk (Mar 03)
- Re: HP BL30's and VLAN's Brendan Dolan-Gavitt (Mar 03)
- Re: HP BL30's and VLAN's Ulric Eriksson (Mar 04)
- <Possible follow-ups>
- RE: HP BL30's and VLAN's MILES John M (Mar 03)