[fw-wiz] Multiple small switches vs. a single big one; Granularity of control
From: Shimon Silberschlag (shimons_at_bll.co.il)
Date: 02/29/04
- Previous message: Gary Flynn: "Re: IPS (was: [fw-wiz] Sources for Extranet Designs?)"
- In reply to: Steven A. Fletcher: "RE: [fw-wiz] Strange setup"
- Next in thread: Sloane, David: "RE: [fw-wiz] Strange setup"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <firewall-wizards@honor.icsalabs.com> Date: Sun, 29 Feb 2004 16:48:25 +0200
Note to moderator: I know one of these subjects has been raised in the past
on the list, but I think technology changes make it deserving another look.
When designing a new internet architecture, we are debating the use of
either a physical switch per segment, as was traditionally recommended by
the majority of readers on this list, and using a big switch combined with
an on-switch FW that controls traffic down to a port granularity (e.g. the
Cisco FWSM enclosed in the 6500 switch).
What would be the current group recommendations WRT to such a setup, taking
into account that the usual "don't trust VLANS to separate your segments" is
mitigated by using the FWSM to enforce the separation policy?
On a related issue, do the granularity of control usually stops at the
segment level, meaning do you allow unchecked traffic between the servers on
a segment, or should we opt for server level control, managing both inter-
and intra segment communications?
TIA,
Shimon Silberschlag
+972-3-9351572
+972-51-207130
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Gary Flynn: "Re: IPS (was: [fw-wiz] Sources for Extranet Designs?)"
- In reply to: Steven A. Fletcher: "RE: [fw-wiz] Strange setup"
- Next in thread: Sloane, David: "RE: [fw-wiz] Strange setup"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
