Re: Using VLAN's in Firewall topologies

[CarlosCapmany Francoy <ccapmany () telefonica es>]

l foresee another pro and con to this kind of topology:

PRO: if you have a good network administrator at your site, you can attempt to
create multiple unconnected DMZs, which will allow you not only to isolate the
internal network from the outside, but also to carry out an increased (even
total) degree of isolation among systems located at the DMZ area. This would be
most useful in environments where different companies place their own systems
in a common DMZ (at their ISP's, maybe), but retain full control over their
machine, including OS and web administration tasks. In this situation, most
probably there won't be a single security policy in place, and you can't expect
every administrator to keep their OSs updated in terms of patches and
configuration, or their web apps bug free, but you can avoid that holes in one
machine will increase the level of exposure of other systems that in a more
traditional topology would be placed in the same DMZ subnet.

CON(s): First of all, there's an extra burden placed in the network
administrator (and an extra degree of expertise). But most important, you must
extend your security policy and procedures to cover also switch and vLAN
administration, not only in terms of avoiding remote administration and the
like, but also to control access, audit and triple-check any modification
carried out in the switch configuration, including its routing functionality.
Among others, you must be sure at every moment that routing is carried out
exclusively by the firewall device in place (not by the RSM), no other systems
can be (mis)placed in an existent vLAN without your knowledge, etc. Once a
system is connected to a switch port, everything else depends on the switch
(and RSM) configuration, so It is fairly easy to provoke unwanted or unexpected
"logical shortcuts" that will avoid communication through the firewall
(internal machine added to a DMZ vLAN, routing between DMZ and internal vLANs).

However, it would be great to hear from people that have already deployed and
administered this kind of topology for a while, and can contribute to this
thread with their practical experience.

Carlos Capmany





owner-firewall-wizards () nfr net con fecha 21/07/99 01:27:12
Por favor, responda a btsec () magna com au
Destinatarios: firewall-wizards () nfr net
CC:
Asunto: Using VLAN's in Firewall topologies

Recently I have come across firewall design topologies involving switches
(eg Catalyst 5000) which are implementing VLANS.

For example (View with Courier Font):

Internet----Router1-----Switch1---Router3--Internal Network
                           |
Internet----Router2-----Switch2---Router4--Internal Network

Where the Switch is configured such that there are a number of VLANS,
with different subnets comprising of a Firewall and a DMZ for example.
So logically it could look like the below

Internet----Routers----Firewall---web servers---Routers----Internal Network

I personally am a bit concerned about using Switches (VLANS)
in such a design. I haven't seen too many security designs involving them.

Any comments on using switches for such purposes?

A few thoughts-
Pros - less hardware (hubs and interconnects via trunking)
 - switch faster than hub
 - less chance of snooping

Cons - No physical separation of outside and DMZ
 - security issues with VLANs, ISL trunking?

Thanks

Paul Therkelsen