Re:Using VLAN's in Firewall topologies

["Dallas N Bishoff"<Dallas.N.Bishoff () faa gov>]

Paul:

This can be done properly, and securing with the appropriate amount of training,
talent and policy management.  In fact, if you read Chapter 4: Firewall Design,
from "Building Internet Firewalls", you'll find the guidelines for how this is
done,and what not to do.

Basically, the hosts reside in a virtual DMZ that is defined by the subnet.  So,
you're customers can have access to their systems, which can reside in their
business areas.  One of the things that you really have to watch out for, and
you have to ensure adherence, the host owners cannot setup a system in the DMZ
that is dual-homed -- public NIC and private NIC, and definately not with IP
forwarding across the NICs.

Regards!!!

Dallas N. Bishoff
MCSE, MCT, CCSE, ICE


  

____________________Reply Separator____________________
Subject:    Using VLAN's in Firewall topologies
Author: btsec () magna com au
Date:       7/20/99 2:00 PM

Recently I have come across firewall design topologies involving
 switches
(eg Catalyst 5000) which are implementing VLANS.

For example (View with Courier Font):

Internet----Router1-----Switch1---Router3--Internal Network
                           |
Internet----Router2-----Switch2---Router4--Internal Network

Where the Switch is configured such that there are a number of VLANS,
with different subnets comprising of a Firewall and a DMZ for example.
So logically it could look like the below

Internet----Routers----Firewall---web servers---Routers----Internal Network

I personally am a bit concerned about using Switches (VLANS)
in such a design. I haven't seen too many security designs involving them.

Any comments on using switches for such purposes?

A few thoughts-
Pros     - less hardware (hubs and interconnects via trunking)
     - switch faster than hub
     - less chance of snooping

Cons     - No physical separation of outside and DMZ
     - security issues with VLANs, ISL trunking?

Thanks

Paul Therkelsen