Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

switches in a fw environment

From: Gerhard Mezger <Gerhard.Mezger () mail inuco ch>
Date: Tue, 30 Jun 1998 18:20:43 +0000
How do you feel about the usage of switches interconnecting different
security domains? To illustrate my question let's take a look at a
very
simplified Internet connection:


              PR   -----------  Firewall --------- internal net (S)
                                   !
                                   !
                                  WEB

PR=Provider Router;  WEB=Webserver in DMZ;   S=System in the internal
net (running critical appliacations).

Internet users are only allowed to access the Webserver; access from
the

internal net to the Internet is very restricted. So far the logical
layout. Letns now look at a possible physical implementation using
VLANs:


                             Firewall
                               !  !  !  vlans 1 2 3
                            +---------+
               PR---------- !  Switch !-----------S
             vlan1          +---------+  vlan3
                                  !
                            vlan2 !
                                  !
                                WEB

I am not sure about the security risk imposed by a central switch
especially because the management of the switch will be done over a
(separate) VLAN. I am searching for arguments to become either more
comfortable with this solution or to have strong technical arguments
against it.

Your input is highly appreciated
Gerhard
Previous By Date Next
Previous By Thread Next

Current thread: