Solved: security question

helsayed78 · ‎04-16-2012

Is it a security issue or concern to add the Internet router on the same DMZ switch but on a different VLAN. To make the question clear here is the setup.

The Internet router in on the outside interface of an ASA firewall and the DMZ switch is on the DMZ interface of the Firewall with a security level of 50.

Sent from Cisco Technical Support iPad App

varrao · ‎04-17-2012

Hi H,

There are no security concerns if you plug the DMZ interface and the Internet Router on the same switch until they are separated in differet vlans with correct cofiguration.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

helsayed78 · ‎04-17-2012

Can anyone help out please?

Regards,

H

varrao · ‎04-17-2012

Hi H,

There are no security concerns if you plug the DMZ interface and the Internet Router on the same switch until they are separated in differet vlans with correct cofiguration.

Thanks,

Varun

Thanks,
Varun Rao

helsayed78 · ‎04-17-2012

What about the L2 attacks ( VLAN hopping for example? )

varrao · ‎04-17-2012

Hi H,

For that your configurations needs to be strict, no traffic should be allowed over native vlans, instead they should be specified in access vlans. Do not set the trunks to auto negotiate. Such steps can be taken to mitigate such L2 attacks and gain access to your DMZ resources without passing through the ASA.

Thanks,

Varun

Thanks,
Varun Rao

Alexander Moorthy · ‎04-17-2012

To answer it in simple there is no security concern with the Internet router on the DMZ switch but you need take care of all the L2 Layer type of attack by hardening the Switch configuration.