Re: VLAN's & DMZ's
From: jnitron (jnitron-nospam_at_hotmail.com)
Date: 04/17/05
- Next message: Alex Vinokur: "OTP (One-Time Pad Generator Program) and MD5 signature"
- Previous message: Zilla: "Re: Linksys Router Question"
- In reply to: Steven L Umbach: "Re: VLAN's & DMZ's"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 17 Apr 2005 04:02:13 +0100
On Tue, 5 Apr 2005 16:19:26 -0500, "Steven L Umbach"
<n9rou@n0-spam-for-me-comcast.net> wrote:
>I am not an expert on switches and vlans but it seems to me that usually you
>want at least some access to computers on a dmz from the lan network based
>on what you have configured for firewall rules, even if it is jut to manage
>computers in the dmz. A firewall would certainly be a better option and
>there are very reasonably priced ones available. If a computer on the dmz is
>compromised, then at the very least your switch could be subject to denial
>of service attacks that may impact the whole network that uses that switch.
>If the switch is compromised then the whole network may go down or be
>subject to attacks from the dmz computer. I don't know of a good link
>offhand. --- Steve
>
>
>"roberto" <no_trash@respond-to-group-not-me.com> wrote in message
>news:CSA4e.3352$Nn.2163@tornado.rdc-kc.rr.com...
>>I understand that it is considered a less than 'best practice' to use a few
>>ports in a VLAN-able switch matrix to "logically" isolate a DMZ from the
>>private network. The better practice is to "physically" isolate the DMZ by
>>putting it on a completely separate piece of switch hardware not related to
>>the VLAN-able devices. I've reviewed some white papers but none have been
>>terribly specific about this. There is a comment recommending the better
>>practice in my GSEC study material but no references beyond a year 2000
>>document alluding to VLAN Hopping. Can any of you point me to a good
>>source or two that document good rationale for the better practice? It
>>looks and sounds perfectly logical to me - but that may not be forceful
>>enough in this work environment.
>>
>> Thanks.
>>
>> roberto
>>
Gentlemen,
>From a strictly practical point of view it looks to me like you are
overly concerned with what separates your LANs (VLANs or DMZs) rather
than being concerned with what connects them together. Specifically
DMZs are connected to the LAN by constructs (referred to as DMZ
pinholes) which tightly controls and restricts the exchange of data
with the LAN to that which is absolutely necessary. Communication
between the DMZ and the WAN will typically be sufficient to allow the
provision of chosen services to the WAN. Complete separation is
pointless, while an open routed connection via a gateway between VLANs
is hopeless from a security point of view. Have a look at the design
and implementation of ipcop at http://www.ipcop.org for a good
example of "best practise".
In other words, forget VLANs - its not what they are designed for.
Get or build a good firewall like IPCOP, or if you want to spend lots
of money, buy something like a Watchguard Firebox.
- Next message: Alex Vinokur: "OTP (One-Time Pad Generator Program) and MD5 signature"
- Previous message: Zilla: "Re: Linksys Router Question"
- In reply to: Steven L Umbach: "Re: VLAN's & DMZ's"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
