Re: [fw-wiz] Firewalls and 802.1q trunking
From: Carson Gaspar (carson@taltos.org)
Date: 11/27/02
- Next message: David Pick: "Re: [fw-wiz] Firewalls and 802.1q trunking"
- Previous message: Two Dog Flats: "Re: [fw-wiz] Firewalls and 802.1q trunking"
- In reply to: Steffen Kluge: "[fw-wiz] Firewalls and 802.1q trunking"
- Next in thread: David Pick: "Re: [fw-wiz] Firewalls and 802.1q trunking"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Carson Gaspar <carson@taltos.org> To: "'firewall-wizards@honor.icsalabs.com'" <firewall-wizards@honor.icsalabs.com> Date: Wed Nov 27 00:04:02 2002
My personal philosophy is that VLAN trunks are OK within a risk zone, but
not between them. This is the usual risk / reward tradeoff. VLAN trunks
trade expensive or non-available firewall ports for cheap and plentiful
switch ports, with the risk being an attack on the switch. I'm willing to
make that tradeoff to some extent, but not to the point of having
everything connected to one switch, and relying entirely on the switch to
provide separation.
The sticky bit is, how do you divide your zones by risk? At a bare minimum,
I put Internet, DMZ, and internal segments on different physical switches.
If there are third party external non-Internet links, I'd like those to be
seperate as well. If I have firewall ports left, I like to break up the
DMZs into authenticated / non-authenticated, front-end / back-end, inbound
/ outbound, or by operational criteria such as maintenance widows (very
useful with virtual firewalls) - the specifics are usually site specific.
-- Carson
- Next message: David Pick: "Re: [fw-wiz] Firewalls and 802.1q trunking"
- Previous message: Two Dog Flats: "Re: [fw-wiz] Firewalls and 802.1q trunking"
- In reply to: Steffen Kluge: "[fw-wiz] Firewalls and 802.1q trunking"
- Next in thread: David Pick: "Re: [fw-wiz] Firewalls and 802.1q trunking"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
