Firewall Wizards mailing list archives

Re: DMZ - the physical layer

From: "Aaron D. Turner" <aturner () vicinity com>
Date: Mon, 13 Mar 2000 09:57:54 -0800 (PST)


Not sure if it is still true, but Bay Swiches used to have a problem
enforcing VLAN's when two ports had the same client MAC (as often is
the case of Sun's).

This can be a major security problem.  Cisco I know doesn't have this
problem, but most security people will argue against using VLAN's for
security.  Most peole recommend different physical switches.


-- 
Aaron Turner        aturner () vicinity com  650.237.0300 x252
Security Engineer                         Vicinity Corp.        
Cell: 408-314-9874  Pager: 650-317-1821   http://www.vicinity.com

On Tue, 7 Mar 2000, John White wrote:

I was looking through the archives of the greatcircle
firewall list and came across some opinions regarding
the construction of DMZ's.

I'm using Baystack 450's as my backbone switches.
Bay 450's have a virtual lan function which can
be used to limit a collision domain to specific
ports.  I was planning on using this function to
create the DMZ.

However, I ran across some opinions that this type of
action was quite foolish.

Can someone give me the cons to this proposal?

An option would be to buy a cheap Netgear switch 
(under $500) to be a physically separate DMZ. 

Pros and cons on that vs the virtual lan?  $500
is a small price to pay if there are security problems
when using a vlan aa a DMZ.

John

Current thread:

DMZ - the physical layer John White (Mar 12)
- Re: DMZ - the physical layer Aaron D. Turner (Mar 17)
  - Re: DMZ - the physical layer Bennett Todd (Mar 21)
- Re: DMZ - the physical layer Doug Fajardo (Mar 21)
- <Possible follow-ups>
- RE: DMZ - the physical layer fernando_montenegro (Mar 17)
- RE: DMZ - the physical layer Ben Nagy (Mar 21)
  - RE: DMZ - the physical layer aturner (Mar 23)
- RE: DMZ - the physical layer Carl Friedberg (Mar 21)