Re: VLAN's & DMZ's
From: Steve Clark [MSFT] (bogus_at_microsoft.com)
Date: 04/05/05
- Next message: Steven L Umbach: "Re: Need to replace/renew SSL cert and change OU in IIS 5.0"
- Previous message: Steven L Umbach: "Re: help with setting up File Access Rights in Windows 2003"
- In reply to: roberto: "VLAN's & DMZ's"
- Next in thread: Michael Pelletier: "Re: VLAN's & DMZ's"
- Reply: Michael Pelletier: "Re: VLAN's & DMZ's"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 5 Apr 2005 13:05:14 -0700
VLANS are *not* security constructs: they are management constructs.
Somewhere about 1996 people saw that they could put ACL's on them and thus
they started treating them as if they were security boundaries.
Ettercap renders all that rot practically meaningless.
However, it is considered to be best practice to implement VLANS of the same
security posture on the same switch. i.e., you don't have a highly secure
VLAN and a less secure VLAN on the same switch, because the lowest common
denominator is the security posture on that device. (in this case, less
secure)
Also, physical isolation implies that there will be no communications
between the two conencted networks/devices. The US does this for DoD
networks by having a separate, highly secure classified network (SIPRNET)
and an internet connected (and therefore vulnerable) network called NIPRNET.
These networks are physically separated.
If you want the maximum amount of logical isolation, use packet filters on
the network edge, along with layer 7 aware firewalls. Use IPsec transport
mode to protect hosts on the inside and use L2TP/IPsec for VPN connectivity.
That's about as strong of a DiD approach on a network as current technology
provides. Beyond this, you start talking about extreme physical security,
and other methods...
"roberto" <no_trash@respond-to-group-not-me.com> wrote in message
news:CSA4e.3352$Nn.2163@tornado.rdc-kc.rr.com...
>I understand that it is considered a less than 'best practice' to use a few
>ports in a VLAN-able switch matrix to "logically" isolate a DMZ from the
>private network. The better practice is to "physically" isolate the DMZ by
>putting it on a completely separate piece of switch hardware not related to
>the VLAN-able devices. I've reviewed some white papers but none have been
>terribly specific about this. There is a comment recommending the better
>practice in my GSEC study material but no references beyond a year 2000
>document alluding to VLAN Hopping. Can any of you point me to a good
>source or two that document good rationale for the better practice? It
>looks and sounds perfectly logical to me - but that may not be forceful
>enough in this work environment.
>
> Thanks.
>
> roberto
>
- Next message: Steven L Umbach: "Re: Need to replace/renew SSL cert and change OU in IIS 5.0"
- Previous message: Steven L Umbach: "Re: help with setting up File Access Rights in Windows 2003"
- In reply to: roberto: "VLAN's & DMZ's"
- Next in thread: Michael Pelletier: "Re: VLAN's & DMZ's"
- Reply: Michael Pelletier: "Re: VLAN's & DMZ's"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
