Security Basics mailing list archives
RE: Firewall and VLAN security design
From: "Bryan S. Sampsel" <bsampsel () libertyactivist org>
Date: Mon, 1 Nov 2004 21:56:11 -0700 (MST)
Is VLAN segmentation enough to segment between the internet, DMZ and the internal network, or should I also use different switches for each, and be connected through the firewall.This is a FAQ, and the usual answer is that no, VLAN separation is not a robust security barrier, an separate switches are recommended where the different subnets need separation for security reasons.
Actually, if you don't offer up your management interface to the publicly accessible side of things, the VLAN separation makes things function exactly like a physically separate switch. Without the routing between those VLANs, the traffic does not magically go from one VLAN to another and the ability to exploit/crack the switch is no greater than having a separate switch in place. In fact, if you have a managed switch, and do not logically isolate your management interface/IP, you're opening up that standalone switch. If you're not crazy enough to put the management IP on the publicly accessible side, there is no risk unless you allow access through a firewall or other routing solution. This is a fundamental concept of managed switches and VLANs. This is at least true of Foundry Networks and Cisco switches. Mileage may vary. ;) Sincerely, Bryan S. Sampsel LibertyActivist.org FNCNE
Current thread:
- Firewall and VLAN security design Ahmed Ameen (Nov 01)
- RE: Firewall and VLAN security design David Gillett (Nov 01)
- RE: Firewall and VLAN security design Bryan S. Sampsel (Nov 02)
- RE: Firewall and VLAN security design David Gillett (Nov 03)
- RE: Firewall and VLAN security design Bryan S. Sampsel (Nov 02)
- <Possible follow-ups>
- RE: Firewall and VLAN security design Ivan Coric (Nov 03)
- RE: Firewall and VLAN security design Jonathan Loh (Nov 03)
- RE: Firewall and VLAN security design Paul Benedek (Nov 03)
- RE: Firewall and VLAN security design Bryan S. Sampsel (Nov 03)
- RE: Firewall and VLAN security design Ghaith Nasrawi (Nov 12)
- RE: Firewall and VLAN security design Ivan Coric (Nov 03)
- RE: Firewall and VLAN security design David Gillett (Nov 01)