Firewall Wizards mailing list archives
Re:Using VLAN's in Firewall topologies
From: "Dallas N Bishoff"<Dallas.N.Bishoff () faa gov>
Date: Wed, 21 Jul 1999 09:35:39 -0500
Paul: This can be done properly, and securing with the appropriate amount of training, talent and policy management. In fact, if you read Chapter 4: Firewall Design, from "Building Internet Firewalls", you'll find the guidelines for how this is done,and what not to do. Basically, the hosts reside in a virtual DMZ that is defined by the subnet. So, you're customers can have access to their systems, which can reside in their business areas. One of the things that you really have to watch out for, and you have to ensure adherence, the host owners cannot setup a system in the DMZ that is dual-homed -- public NIC and private NIC, and definately not with IP forwarding across the NICs. Regards!!! Dallas N. Bishoff MCSE, MCT, CCSE, ICE ____________________Reply Separator____________________ Subject: Using VLAN's in Firewall topologies Author: btsec () magna com au Date: 7/20/99 2:00 PM Recently I have come across firewall design topologies involving switches (eg Catalyst 5000) which are implementing VLANS. For example (View with Courier Font): Internet----Router1-----Switch1---Router3--Internal Network | Internet----Router2-----Switch2---Router4--Internal Network Where the Switch is configured such that there are a number of VLANS, with different subnets comprising of a Firewall and a DMZ for example. So logically it could look like the below Internet----Routers----Firewall---web servers---Routers----Internal Network I personally am a bit concerned about using Switches (VLANS) in such a design. I haven't seen too many security designs involving them. Any comments on using switches for such purposes? A few thoughts- Pros - less hardware (hubs and interconnects via trunking) - switch faster than hub - less chance of snooping Cons - No physical separation of outside and DMZ - security issues with VLANs, ISL trunking? Thanks Paul Therkelsen
Current thread:
- Using VLAN's in Firewall topologies btsec (Jul 20)
- Re: Using VLAN's in Firewall topologies Ge' Weijers (Jul 21)
- Re: Using VLAN's in Firewall topologies Kevin Steves (Jul 26)
- <Possible follow-ups>
- Re:Using VLAN's in Firewall topologies Dallas N Bishoff (Jul 21)
- Re: Using VLAN's in Firewall topologies CarlosCapmany Francoy (Jul 23)
- Re: Using VLAN's in Firewall topologies Ivan Arce (Jul 27)
- Re: Using VLAN's in Firewall topologies Jan B. Koum (Jul 29)
- Re: Using VLAN's in Firewall topologies Ivan Arce (Jul 27)