Firewall Wizards mailing list archives
Re: Using VLAN's in Firewall topologies
From: CarlosCapmany Francoy <ccapmany () telefonica es>
Date: Thu, 22 Jul 1999 19:55:52 +0200
l foresee another pro and con to this kind of topology: PRO: if you have a good network administrator at your site, you can attempt to create multiple unconnected DMZs, which will allow you not only to isolate the internal network from the outside, but also to carry out an increased (even total) degree of isolation among systems located at the DMZ area. This would be most useful in environments where different companies place their own systems in a common DMZ (at their ISP's, maybe), but retain full control over their machine, including OS and web administration tasks. In this situation, most probably there won't be a single security policy in place, and you can't expect every administrator to keep their OSs updated in terms of patches and configuration, or their web apps bug free, but you can avoid that holes in one machine will increase the level of exposure of other systems that in a more traditional topology would be placed in the same DMZ subnet. CON(s): First of all, there's an extra burden placed in the network administrator (and an extra degree of expertise). But most important, you must extend your security policy and procedures to cover also switch and vLAN administration, not only in terms of avoiding remote administration and the like, but also to control access, audit and triple-check any modification carried out in the switch configuration, including its routing functionality. Among others, you must be sure at every moment that routing is carried out exclusively by the firewall device in place (not by the RSM), no other systems can be (mis)placed in an existent vLAN without your knowledge, etc. Once a system is connected to a switch port, everything else depends on the switch (and RSM) configuration, so It is fairly easy to provoke unwanted or unexpected "logical shortcuts" that will avoid communication through the firewall (internal machine added to a DMZ vLAN, routing between DMZ and internal vLANs). However, it would be great to hear from people that have already deployed and administered this kind of topology for a while, and can contribute to this thread with their practical experience. Carlos Capmany owner-firewall-wizards () nfr net con fecha 21/07/99 01:27:12 Por favor, responda a btsec () magna com au Destinatarios: firewall-wizards () nfr net CC: Asunto: Using VLAN's in Firewall topologies Recently I have come across firewall design topologies involving switches (eg Catalyst 5000) which are implementing VLANS. For example (View with Courier Font): Internet----Router1-----Switch1---Router3--Internal Network | Internet----Router2-----Switch2---Router4--Internal Network Where the Switch is configured such that there are a number of VLANS, with different subnets comprising of a Firewall and a DMZ for example. So logically it could look like the below Internet----Routers----Firewall---web servers---Routers----Internal Network I personally am a bit concerned about using Switches (VLANS) in such a design. I haven't seen too many security designs involving them. Any comments on using switches for such purposes? A few thoughts- Pros - less hardware (hubs and interconnects via trunking) - switch faster than hub - less chance of snooping Cons - No physical separation of outside and DMZ - security issues with VLANs, ISL trunking? Thanks Paul Therkelsen
Current thread:
- Using VLAN's in Firewall topologies btsec (Jul 20)
- Re: Using VLAN's in Firewall topologies Ge' Weijers (Jul 21)
- Re: Using VLAN's in Firewall topologies Kevin Steves (Jul 26)
- <Possible follow-ups>
- Re:Using VLAN's in Firewall topologies Dallas N Bishoff (Jul 21)
- Re: Using VLAN's in Firewall topologies CarlosCapmany Francoy (Jul 23)
- Re: Using VLAN's in Firewall topologies Ivan Arce (Jul 27)
- Re: Using VLAN's in Firewall topologies Jan B. Koum (Jul 29)
- Re: Using VLAN's in Firewall topologies Ivan Arce (Jul 27)