RE: [fw-wiz] Multiple small switches vs. a single big one; Granul arity of control

From: Phil Burg (Phil.Burg_at_colesmyer.com.au)
Date: 03/05/04

  • Next message: Jeff Moss: "[fw-wiz] Announcing The Black Hat Briefings call for papers" 
    To: firewall-wizards@honor.icsalabs.com
Date: Fri, 5 Mar 2004 12:43:35 +1100

    Dale W. Carder wrote:

    > I personally believe that the idea of separating vlans onto separate
    switches
    > is fueled by paranoia and inferior switch architectures. Separating vlans
    > onto their own switches does not scale. If it does for your environment,
    I
    > envy you :-)

    > There are economies of scale in having bigger switches with more vlans,
    > and trunking between them. The 6500 series switches and competing
    > products are marketed towards that idea.
    [...]
    > The switch enforces the separation policy between vlans. The FWSM is a
    > firewall between vlans.

    At the end of the day, IMNSHO, it's all about risk, and your organisation's
    appetite for it. Using the (rather simplistic) approach that I like to
    take,
    in the absence of evidence to the contrary, increased complexity equates to
    increased risk. (Yes, this may be paranoia, but my employer likes my
    paranoid
    streak).

    Therefore, when you compare separate small switches separated by a firewall
    to one large switch with multiple VLANs separated by an integrated firewall,
    the former is less risky than the latter. This doesn't mean it's
    objectively
    a worse solution, just that a more informed business decision can now be
    made, weighing up the benefits of the latter (the economies of scale you
    mentioned) against the risk if something goes wrong (including both
    malicious
    activity and stressed comms engineers misconfiguring a VLAN at 4am...)

    My opininon, not my employer's.
    Phil 

    --
Phil Burg
Senior Security Adviser
IT S&A Security and Governance
Coles Myer Ltd
(03) 9483 7165 / 0409 028 411

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Jeff Moss: "[fw-wiz] Announcing The Black Hat Briefings call for papers"

    Relevant Pages

    • RE: Firewall and VLAN security design
      ... Because of the way that switches deal with broadcasts, ... The SAFE methodology calls for defence in depth and Private VLANS are one of ... Firewall and VLAN security design ... > This is a FAQ, and the usual answer is that no, VLAN separation is ...
      (Security-Basics)
    • Re: Single domain two IP subnets
      ... hardware or any of the complexities of "network hardward ... I never criticize anyone's typing as long as the words can ... Cisco ISL VLANS are history. ... Newer Cisco switches don't even support ISL ...
      (microsoft.public.win2000.dns)
    • Re: [fw-wiz] Vlans as effective security measures?
      ... The Cisco bug DB has plenty of entries for switches with "bleeding ... VLANs are a cheap/convenient way of defining subnets and moving ports ... >And cars crash and cars burn and people are dying in cars all the ...
      (Firewall-Wizards)
    • Re: vlan tags and ISA2004, what´s the story?
      ... >Well the switches are Layer2 Devices and VLANs are Layer3, ... the Switch port that the ISA plugs into with the Internal Interface ... The Router can be a hardware Router device,...it ...
      (microsoft.public.isa.configuration)
    • RE: VLAN Question
      ... It's only your assertion that the ... motivation for VLANs was to split up large switches that I disagree with, ... numbers of ports. ...
      (Security-Basics)