Re: Managed switches outside firewalls?

["Bryan S. Sampsel" <bsampsel () libertyactivist org>]

For starters, if you don't use the default VLAN configuration, you
mitigate VLAN attacks.  Basically, if you leave your DEFAULT VLAN to 1,
you're asking for injection attacks.

Secondly, configure two VLANs, one that your "public" stuff sits on and
one that can be used for management.  Now, if you want some extra
protection, put the management interface on a separate DMZ port of your
firewall.  This way, you can limit who can even get to that interface
before attempts hit the switch.  The advantage of this is also that if
someone does successfully jump VLANs, you still have a firewall out there
to protect your network.

And yes, there are advantages to managing your switch.  First, the managed
switches are often higher quality.  Second, you can adjust
port-speed/duplex issues if your server has problems with auto-negotiate
on an unmanaged switch.  While this is less common now, it does crop up
from time to time.  Third, if you implemented, say, a Foundry Networks
switch, you can use SFLOW to monitor traffic flows/levels and use the data
for everything from security/intrusion issues to performance benchmarks.

Good luck.

Sincerely,

Bryan S. Sampsel
LibertyActivist.org