Firewall Wizards mailing list archives
Re: DMZ - the physical layer
From: Bennett Todd <bet () rahul net>
Date: Fri, 17 Mar 2000 16:44:56 -0500
2000-03-13-12:57:54 Aaron D. Turner:
Not sure if it is still true, but Bay Swiches used to have a problem enforcing VLAN's when two ports had the same client MAC (as often is the case of Sun's). This can be a major security problem. Cisco I know doesn't have this problem, but most security people will argue against using VLAN's for security. Most peole recommend different physical switches.
Ciscos have had troubles with packet leakage in strange circumstances as well; I seem to recall something about being able to unilaterally turn your switch port into an ISL port or something like that. I've checked this opinion with a techie at a major switch vendor, and they enthusiastically liked my statement: VLANs are a performance optimization, designed to help decrease the size of a broadcast domain to a fraction of a switch. They are intended to help improve flexibility, allowing the user to have multiple isolated broadcast domains in a single physical switch; with the high early price-per-port of switches, and the limited numbers of distinct sizes (e.g. 8-port, 12-port, 16-port, 32-port), being able to carve a larger switch up into VLANs was a big help for customers pricing reasonable configs, while trying to keep their traffic organized for performance reasons. But VLANs were always and solely a performance hack. Leaking packets between isn't a design failure of a VLAN unless the leakage consists of enough packets to have a performance impact. For security barriers, use separate boxes, or boxes like routers that are designed to make guarantees about packets only going to the right place. -Bennett
Attachment:
_bin
Description:
Current thread:
- DMZ - the physical layer John White (Mar 12)
- Re: DMZ - the physical layer Aaron D. Turner (Mar 17)
- Re: DMZ - the physical layer Bennett Todd (Mar 21)
- Re: DMZ - the physical layer Doug Fajardo (Mar 21)
- <Possible follow-ups>
- RE: DMZ - the physical layer fernando_montenegro (Mar 17)
- RE: DMZ - the physical layer Ben Nagy (Mar 21)
- RE: DMZ - the physical layer aturner (Mar 23)
- RE: DMZ - the physical layer Carl Friedberg (Mar 21)
- Re: DMZ - the physical layer Aaron D. Turner (Mar 17)