Firewall Wizards mailing list archives
Re: Firewalls and 802.1q trunking
From: Carson Gaspar <carson () taltos org>
Date: Tue, 26 Nov 2002 22:40:12 -0500
My personal philosophy is that VLAN trunks are OK within a risk zone, but not between them. This is the usual risk / reward tradeoff. VLAN trunks trade expensive or non-available firewall ports for cheap and plentiful switch ports, with the risk being an attack on the switch. I'm willing to make that tradeoff to some extent, but not to the point of having everything connected to one switch, and relying entirely on the switch to provide separation.
The sticky bit is, how do you divide your zones by risk? At a bare minimum, I put Internet, DMZ, and internal segments on different physical switches. If there are third party external non-Internet links, I'd like those to be seperate as well. If I have firewall ports left, I like to break up the DMZs into authenticated / non-authenticated, front-end / back-end, inbound / outbound, or by operational criteria such as maintenance widows (very useful with virtual firewalls) - the specifics are usually site specific.
-- Carson _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Firewalls and 802.1q trunking Steffen Kluge (Nov 26)
- Re: Firewalls and 802.1q trunking Two Dog Flats (Nov 26)
- Re: Firewalls and 802.1q trunking Carson Gaspar (Nov 26)
- Re: Firewalls and 802.1q trunking David Pick (Nov 27)
- Re: Firewalls and 802.1q trunking ark (Nov 27)
- Re: Firewalls and 802.1q trunking R. DuFresne (Nov 27)
- Re: Firewalls and 802.1q trunking Jonn Martell (Nov 27)
- <Possible follow-ups>
- Re: Firewalls and 802.1q trunking Pearsall, Jim (Nov 27)
- Re: Firewalls and 802.1q trunking David Pick (Nov 27)
- Re: Firewalls and 802.1q trunking Stephen Gill (Nov 27)