Firewall Wizards mailing list archives
RE: DMZ - the physical layer
From: fernando_montenegro () hp com
Date: Mon, 13 Mar 2000 09:50:39 -0500
Hi! This question is one of those where you *really* need to ask yourself about the risks and benefits of all approaches. Glossary: "firewall LANs" - all the networks between the external router's ethernet interface and the internal router's "outer" interface. "corporate LANs" - all the networks in the corporation up to the internal router's internal interface (ie, not the firewall LANs) Possible scenarios: 1) Using separate hubs/switches for each subnet in your firewall LANs: Pros - Virtually impossible to have traffic mixed up without physical access to the rack - Virtually impossible to change DMZ setup without physical access to the rack - Probably Cheaper to buy multiple simple hubs/switches than one fancy, larger, switch. Cons - Adds complexity to hardware needs, such as extra rack space, extra power outlets, ... - Makes changes to a LAN (such as adding servers to the web farm) harder - Makes a more resilient (not HA) configuration harder: more individual components to duplicate 2) Using one switch for all the firewall LANs, separate from any corporate LAN switches: Pros - Simpler hardware requirements (power outlets, rack space, possibly cabling) - Much easier to add resilience (only one place to add redundant power supply, for example) - Much more versatile configuration (only logical changes in VLANs) Cons - Flexibility in VLAN configuration introduces possibility for DMZ setup errors because of human mistakes - The existence of bugs in the switching gear might lead to DMZ compromise, such as access to "internal" traffic 3) Using the same switch for firewall LANs and corporate LANs: Pros - Much simpler hardware requirements (power outlets, rack space, possibly cabling) - Much easier to add resilience (only one place to add redundant power supply, for example) - Much more versatile configuration (only logical changes in VLANs) Cons - Flexibility in VLAN configuration introduces possibility for DMZ setup errors because of human mistakes - The existence of bugs in the switching gear might lead to DMZ compromise, such as access to "internal" traffic Personally, I would strongly advise everyone to stay off option "3": the simpler hardware requirements do not justify the risk associated with having internal (as in SAP, payroll, ...) corporate traffic showing up on an external web server's (possibly compromised) collision domain... Choosing between 1, 2 or variants is really up to policy and the functionality associated with each subnet in the firewall LANs. I have seen setups similar to "2", but with two switches: one for "external" and "service" subnets and another for "internal" or "admin" subnets. I know people who will accept nothing but "1" and some that feel the benefits of "2" pay off the increase in associated risk. Caveat emptor. Hope this helps. Cheers, Fernando -- Fernando da Silveira Montenegro Hewlett-Packard Brasil HP Consulting - IT Security Al. Rio Negro, 750 - Alphaville mailto:fernando_montenegro () hp com Barueri, SP - Brazil 06454-000 voice: +55-11-7297-4351 #include <disclaimer.h>
-----Original Message----- From: johnjohn () triceratops com [mailto:johnjohn () triceratops com] Sent: terça-feira, 7 de março de 2000 23:32 To: firewall-wizards () nfr net Cc: johnjohn () triceratops com Subject: [fw-wiz] DMZ - the physical layer I was looking through the archives of the greatcircle firewall list and came across some opinions regarding the construction of DMZ's. I'm using Baystack 450's as my backbone switches. Bay 450's have a virtual lan function which can be used to limit a collision domain to specific ports. I was planning on using this function to create the DMZ. However, I ran across some opinions that this type of action was quite foolish. Can someone give me the cons to this proposal? An option would be to buy a cheap Netgear switch (under $500) to be a physically separate DMZ. Pros and cons on that vs the virtual lan? $500 is a small price to pay if there are security problems when using a vlan aa a DMZ. John
Current thread:
- DMZ - the physical layer John White (Mar 12)
- Re: DMZ - the physical layer Aaron D. Turner (Mar 17)
- Re: DMZ - the physical layer Bennett Todd (Mar 21)
- Re: DMZ - the physical layer Doug Fajardo (Mar 21)
- <Possible follow-ups>
- RE: DMZ - the physical layer fernando_montenegro (Mar 17)
- RE: DMZ - the physical layer Ben Nagy (Mar 21)
- RE: DMZ - the physical layer aturner (Mar 23)
- RE: DMZ - the physical layer Carl Friedberg (Mar 21)
- Re: DMZ - the physical layer Aaron D. Turner (Mar 17)