Penetration Testing mailing list archives
RE: HP BL30's and VLAN's
From: "Jerry Shenk" <jshenk () decommunications com>
Date: Thu, 3 Mar 2005 15:32:23 -0500
First off...a terminology question: By DMZ, are you referring to a service network that is on a 3rd NIC of the firewall or the area between the edge router and the firewall? The term was originally a military term used to refer to the buffer zone between to hostile countries then a large firewall vendor decided to use the term for what I'd call a service network using a 3rd NIC in a firewall or perhaps a separate firewall. I'll assume the "wrong" definition since it's actually become more popular. That's kindof bad design. VLANs can often add something to security but counting on them really isn't the best idea. There are attacks on switches than can cause VLANs to fail open although I'm not sure about this particular one. In addition to the possibility of 'jumping VLANs', it's also possible to make a rather small configuration error and have things wide open. On the other hand, we don't have any details about your site so there could be cases where it may be acceptable. I've seen companies set up the area outside the firewall on a VLAN on their corporate switch....that's worse! It depends what you're protecting too....still, I can't think of any case where I'd recommend doing it like that. -----Original Message----- From: Merrick, Carl [mailto:CMerrick () enfield org] Sent: Thursday, March 03, 2005 11:23 AM To: pen-test () securityfocus com Subject: HP BL30's and VLAN's I am not a pen tester and this is more of a theoretical question for the experts. We are in the process of installing HP BL30p blade servers which use the GBE2 integrated switch for network connectivity. One of the servers installed will be a web server which will run in the DMZ. Connectivity to the DMZ will be provided from the GBE2 to a port on the firewall via a VLAN. Other internal VLAN's will be running on the same GBE2 switch. The question is, how secure will this setup be? Is it possible to hack across VLANs on the same switch? My preferred configuration is to physically isolate web servers. Thanks. Carl
Current thread:
- HP BL30's and VLAN's Merrick, Carl (Mar 03)
- Re: HP BL30's and VLAN's jkowall (Mar 03)
- Message not available
- Re: HP BL30's and VLAN's jkowall (Mar 04)
- Message not available
- Re: HP BL30's and VLAN's jkowall (Mar 03)
- Re: HP BL30's and VLAN's Ricardo Oliveira (Mar 03)
- RE: HP BL30's and VLAN's Jerry Shenk (Mar 03)
- Re: HP BL30's and VLAN's Brendan Dolan-Gavitt (Mar 03)
- Re: HP BL30's and VLAN's Ulric Eriksson (Mar 04)
- <Possible follow-ups>
- RE: HP BL30's and VLAN's MILES John M (Mar 03)