[fw-wiz] Re: firewall-wizards digest, Vol 1 #1229 - 18 msgs
From: Bill Van Emburg (bve_at_quadrix.com)
Date: 03/07/04
- Previous message: ArkanoiD: "Re: [fw-wiz] Evolution of Firewalls"
- Next in thread: Dale W. Carder: "Re: [fw-wiz] Re: firewall-wizards digest, Vol 1 #1229 - 18 msgs"
- Reply: Dale W. Carder: "Re: [fw-wiz] Re: firewall-wizards digest, Vol 1 #1229 - 18 msgs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: firewall-wizards@honor.icsalabs.com Date: Sun, 07 Mar 2004 12:15:13 -0500
>
> On Tue, 2 Mar 2004, Dale W. Carder wrote:
>
>>Date: Tue, 02 Mar 2004 14:22:40 -0600
>>From: Dale W. Carder <dwcarder@doit.wisc.edu>
>>To: Shimon Silberschlag <shimons@bll.co.il>
>>Cc: firewall-wizards@honor.icsalabs.com,
>> David Lang <david.lang@digitalinsight.com>
>>Subject: Re: [fw-wiz] Multiple small switches vs. a single big one;
>> Granularity of control
>>
>>On Feb 29, 2004, at 8:48 AM, Shimon Silberschlag wrote:
>>
>>>When designing a new internet architecture, we are debating the use of
>>>either a physical switch per segment, as was traditionally recommended
>>>by
>>>the majority of readers on this list, and using a big switch combined
>>>with
>>>an on-switch FW that controls traffic down to a port granularity (e.g.
>>>the
>>>Cisco FWSM enclosed in the 6500 switch).
>>
>>I personally believe that the idea of separating vlans onto separate
>>switches
>>is fueled by paranoia and inferior switch architectures. Separating
>>vlans
>>onto their own switches does not scale. If it does for your
>>environment, I
>>envy you :-)
>>
>>There are economies of scale in having bigger switches with more vlans,
>>and trunking between them. The 6500 series switches and competing
>>products are marketed towards that idea.
>
>
> I agree that this is the marketing claim. the definition of what 'scales'
> varies depending on what you are trying to do.
>
I, personally, am a very big fan of separate physical switches per
segment. Not only is it cheaper in most scenarios, but it's harder to
screw up the configs (i.e., better manageability), practically
impossible to have an outage of your whole network (i.e., hardware
separation and no single points of failure ... if you're careful!),
protects you against the *next* bug to be found in your switch vendor's
VLAN software (because ALL CODE HAS BUGS ... security 101, right?), is
easier to maintain (how many spare 6500s do you have in *your*
infrastructure?), and allows for easy separation of control (do *you*
have a good way to have separate VLANs administered by different sysadms?).
I'm NOT saying that you *always* have to have *every* segment on its own
physical switch. Security is always a business decision, and sometimes
the tradeoffs make sense. However, I think VLANs are heavily overused,
especially in a company's Internet-facing infrastructure design. From a
security perspective, you should physically isolate segments with
different levels of security tolerance, whenever possible. For segments
with similar security tolerance, you might decide that there are
advantages in your scenario, although I'll still argue that my points
above are valid in most of the scenarios I've seen.
In particular, if your infrastructure is small, it almost never pays to
go with a huge switch.... (just my $0.035 -- I never give just $0.02! ;-)
-- -- Bill Van Emburg Quadrix Solutions, Inc. Phone: 732-742-0475 (mailto:bve@quadrix.com) Fax: 309-404-7749 (http://quadrix.com) The eBusiness Solutions Company _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: ArkanoiD: "Re: [fw-wiz] Evolution of Firewalls"
- Next in thread: Dale W. Carder: "Re: [fw-wiz] Re: firewall-wizards digest, Vol 1 #1229 - 18 msgs"
- Reply: Dale W. Carder: "Re: [fw-wiz] Re: firewall-wizards digest, Vol 1 #1229 - 18 msgs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
