Firewall Wizards mailing list archives

Re: Per application port DMZ segments?

From: Kevin <kkadow () gmail com>
Date: Tue, 18 Jan 2005 15:46:47 -0600

On Tue, 18 Jan 2005 11:27:10 -0600, Wes Noonan
<mailinglists () wjnconsulting com> wrote:

Another justification that has been put forth is to segment resources,
however I think that using private VLANs (they are a Cisco shop) is a better
solution - after all, even with per application VLANs the servers in that
VLAN will still be able to communicate with each other unless you do
something else.


Depending on the switch model, Cisco's "Private VLAN" feature could be
a very good approach to their problem, offering most of the same
benefits without the excess complexity.

So, does anyone know of any references, etc. that I can put in front of said
client to show them how this is a bad idea, or conversely have any
references that can show me that it's not as bad as I think it is?


Cisco's "Virtual LAN Security Best Practices" whitepaper from 2002
details many of the issues with using VLANs for security and includes
some information on L2/L3 attacks.

Kevin Kadow
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

l2tp/Ipsec and pix Jean Caron (Jan 19)
- Per application port DMZ segments? Wes Noonan (Jan 19)
  - Re: Per application port DMZ segments? Paul D. Robertson (Jan 19)
    - RE: Per application port DMZ segments? Wes Noonan (Jan 19)
    - RE: Per application port DMZ segments? Paul D. Robertson (Jan 19)
    - RE: Per application port DMZ segments? Carson Gaspar (Jan 19)
  - Re: Per application port DMZ segments? Kevin (Jan 19)