Firewall Wizards mailing list archives
RE: Multiple small switches vs. a single big one; Granul arity of control
From: Phil Burg <Phil.Burg () colesmyer com au>
Date: Fri, 5 Mar 2004 12:43:35 +1100
Dale W. Carder wrote:
I personally believe that the idea of separating vlans onto separate
switches
is fueled by paranoia and inferior switch architectures. Separating vlans onto their own switches does not scale. If it does for your environment,
I
envy you :-)
There are economies of scale in having bigger switches with more vlans, and trunking between them. The 6500 series switches and competing products are marketed towards that idea.
[...]
The switch enforces the separation policy between vlans. The FWSM is a firewall between vlans.
At the end of the day, IMNSHO, it's all about risk, and your organisation's appetite for it. Using the (rather simplistic) approach that I like to take, in the absence of evidence to the contrary, increased complexity equates to increased risk. (Yes, this may be paranoia, but my employer likes my paranoid streak). Therefore, when you compare separate small switches separated by a firewall to one large switch with multiple VLANs separated by an integrated firewall, the former is less risky than the latter. This doesn't mean it's objectively a worse solution, just that a more informed business decision can now be made, weighing up the benefits of the latter (the economies of scale you mentioned) against the risk if something goes wrong (including both malicious activity and stressed comms engineers misconfiguring a VLAN at 4am...) My opininon, not my employer's. Phil -- Phil Burg Senior Security Adviser IT S&A Security and Governance Coles Myer Ltd (03) 9483 7165 / 0409 028 411
Attachment:
InterScan_Disclaimer.txt
Description:
Current thread:
- RE: Multiple small switches vs. a single big one; Granul arity of control Phil Burg (Mar 07)