Re: VLANS in a DMZ - good idea?
From: Greg Hennessy (me_at_privacy.org)
Date: 01/27/05
- Next message: Lars M. Hansen: "Re: Peculiar firewall log entries...need help interpreting.."
- Previous message: Kerodo: "Ipsec"
- In reply to: Richard H. Miller: "Re: VLANS in a DMZ - good idea?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 27 Jan 2005 18:36:22 +0000
On 27 Jan 2005 17:22:28 GMT, rick@bcm.tmc.edu (Richard H. Miller) wrote:
>: >Me either, yet one of our security analysts always touts this as a BAD idea.
>
>: I've met and had the misfortune to work that type before.
>
>Based on past information and some previous vulnerabilities there is always going to be
>a theoritical possibility that some vulnerability might be discovered to breach the
>VLAN separation.
True.
>
>so, in the best of all worlds you should place each security zone on a physical
>separate switch.
>
>In practical terms this is usually not a cost-effective approach. Using Vlan security and
>placing multiple vlans on the same switch including different zones is IMHO an acceptable
>risk.
Depends, I personally have audited installations where LAN, DMZ and
Internet were plumbed into the same switch.
The design is everything, Layer 3 switches between an inner/outer firewall
sandwich are ideal for implementing multiple layer DMZs.
If you're truly paranoid throw an FWSM or the non crisco equivalent into
the mix.
>I still air gap the external zones from all internal and DMZ zones. Because there is that
>low probability risk that a switch might be compromised I feel it is better to not introduce
>the possibility that a future vuln might allow external users to totally bypass the perimeter.
Sensibly prudent.
>
>: >Yet when challenged can never site an example of a vuln.
>: >It's that kind of thinking that drives me nuts.
>
>: He shouldnt be in a position to dictate policy if he cannot support his
>: arguments.
>
>Exactly right..there is a theoritical vuln to this but to act on it in most cases
>without hard specific arguments of why it becomes an actual risk in the user's
>environment should not happen.
No doubt. Not much point in worrying about a cam table flood via macof or
whatever if you've left the environment open to such an extent that its
possible to download and build such tools on a penetrated system.
A hard shell is not much use if the centre is soft and creamy. (todays
mixed metaphor was brought to you by....)
>
>: >You have a 48 port switch
>: >but can't use it because of some layer 2 VLAN risk! What risk?
>
>: As long as you dont mix trust levels, the notion of some unamed 'risk' is
>: nonsense.
>
>
>Not nonsense but a risk that needs to be mentioned and then documented as to why
>the risk is not large enough to take action.
Of course, but preventing a solution which is good from both a business &
technical perspective purely on the basis of a risk they cannot quantify is
unacceptable.
I've met a lot of security types who labour under the delusion that the
business works for them and not the other way round.
>Because this 'vulnerability' exists
>in the minds of so many people, especially auditors, you cannot simply hand-wave
>it away as nonsense.
Yes, having had the misfortune to deal with external 'auditors' who's
knowledge of IT security extended no further than what colour pen to fill
in tick boxes with.
>All you need to do is explain why it is a low-probability
>vuln and no action needs to be taken.
Or have a stand up blazing row and give them a day to produce hard evidence
to support their high 'risk' assessment or be told to go forth and
multiply.
>If a security analyst does not mention the risk, they are derelict in their job.
>Howver, as you have stated, to prohibit without doing an assesment of the actual
>risk to the organization is dumb. There is a bit too much of this type of FUD
>being seen and acted upon.
You'll get no argument here Richard :-).
greg
>
>
>: greg
>
>
>Richard H. Miller, MCSE, CCSE+
>Information Security Manager
>Information Technology Security and Compliance
>Information Technology - Baylor College of Medicine
-- Yeah - straight from the top of my dome As I rock, rock, rock, rock, rock the microphone
- Next message: Lars M. Hansen: "Re: Peculiar firewall log entries...need help interpreting.."
- Previous message: Kerodo: "Ipsec"
- In reply to: Richard H. Miller: "Re: VLANS in a DMZ - good idea?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
