RE: Firewall and VLAN security design

["Bryan S. Sampsel" <bsampsel () libertyactivist org>]

> > Is VLAN segmentation enough to segment between the internet, DMZ and
> > the internal network, or should I also use different switches for
> > each, and be connected through the firewall.
>
>   This is a FAQ, and the usual answer is that no, VLAN separation is not
> a robust security barrier, an separate switches are recommended where the
> different subnets need separation for security reasons.

Actually, if you don't offer up your management interface to the publicly
accessible side of things, the VLAN separation makes things function
exactly like a physically separate switch.  Without the routing between
those VLANs, the traffic does not magically go from one VLAN to another
and the ability to exploit/crack the switch is no greater than having a
separate switch in place.  In fact, if you have a managed switch, and do
not logically isolate your management interface/IP, you're opening up that
standalone switch.

If you're not crazy enough to put the management IP on the publicly
accessible side, there is no risk unless you allow access through a
firewall or other routing solution.  This is a fundamental concept of
managed switches and VLANs.

This is at least true of Foundry Networks and Cisco switches.  Mileage may
vary.  ;)

Sincerely,

Bryan S. Sampsel
LibertyActivist.org
FNCNE