Firewall Wizards mailing list archives
Re: Per application port DMZ segments?
From: Kevin <kkadow () gmail com>
Date: Tue, 18 Jan 2005 15:46:47 -0600
On Tue, 18 Jan 2005 11:27:10 -0600, Wes Noonan <mailinglists () wjnconsulting com> wrote:
Another justification that has been put forth is to segment resources, however I think that using private VLANs (they are a Cisco shop) is a better solution - after all, even with per application VLANs the servers in that VLAN will still be able to communicate with each other unless you do something else.
Depending on the switch model, Cisco's "Private VLAN" feature could be a very good approach to their problem, offering most of the same benefits without the excess complexity.
So, does anyone know of any references, etc. that I can put in front of said client to show them how this is a bad idea, or conversely have any references that can show me that it's not as bad as I think it is?
Cisco's "Virtual LAN Security Best Practices" whitepaper from 2002 details many of the issues with using VLANs for security and includes some information on L2/L3 attacks. Kevin Kadow _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- l2tp/Ipsec and pix Jean Caron (Jan 19)
- Per application port DMZ segments? Wes Noonan (Jan 19)
- Re: Per application port DMZ segments? Paul D. Robertson (Jan 19)
- RE: Per application port DMZ segments? Wes Noonan (Jan 19)
- RE: Per application port DMZ segments? Paul D. Robertson (Jan 19)
- RE: Per application port DMZ segments? Carson Gaspar (Jan 19)
- Re: Per application port DMZ segments? Paul D. Robertson (Jan 19)
- Re: Per application port DMZ segments? Kevin (Jan 19)
- Per application port DMZ segments? Wes Noonan (Jan 19)