Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: switches and security

From: "Andrew J. Luca" <andrewluca () mediaone net>
Date: Wed, 1 Jul 1998 08:31:21 -0400
Gerhard,

        I would have to agree with the earlier posts.  You are relying on the idea
that the switch can keep the individual vlans separate.  Some of the
implementations that I have examined over the past couple of years don't
fully ensure that this is the case under certain circumstances.  Most of the
VLAN implementations are layer 2 type functions which mean that during
certain broadcast transmissions, you may see some leakage.  Before I get
fifty million posts from  people disagreeing, I know that there are layer
three functions and I know that there are layer 2 implementations which
perform this properly.  My claim is simply this: the extra money for a low
end switch (e.g. small, multiport repeater or hub) since you can't have
enough traffic out there to warrant a switch and a second interface card is
far cheaper than the time that you will spend either 1) verifying that this
works properly or 2) repairing a breach.

Just my opinion.
Drew


-----Original Message-----
From:   owner-firewall-wizards () nfr net [mailto:owner-firewall-wizards () nfr net]
On Behalf Of Gerhard Mezger
Sent:   Tuesday, June 30, 1998 11:00 AM
To:     firewall-wizards () nfr net
Subject:        switches and security

How do you feel about the usage of switches interconnecting different
security domains? To illustrate my question let's take a look at a very
simplified Internet connection:

                                      +--------+
              PR   -----------! Firewall!--------- internal net (S)
                                      +--------+
                                              !
                                           WEB

PR=Provider Router;  WEB=Webserver in DMZ;   S=System in the internal
net (running critical appliacations).

Internet users are only allowed to access the Webserver; access from the
internal net to the Internet is very restricted. So far the logical
layout. Let´s now look at a possible physical implementation using
VLANs:


                                      Firewall
                                        !  !  !  vlans 1 2 3
                                   +---------+
               PR---------- !   Switch !-----------S
                      vlan1     +---------+  vlan3
                                            !
                                   vlan2 !
                                            !
                                         WEB

I am not sure about the security risk imposed by a central switch
especially because the management of the switch will be done over a
(separate) VLAN. I am searching for arguments to become either more
comfortable with this solution or to have strong technical arguments
against it.

Your input is highly appreciated
Gerhard
Previous By Date Next
Previous By Thread Next

Current thread: