Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
372
Views
0
Helpful
2
Replies

Possible security vulnerability?

alitster
Level 1
Level 1

‎10-04-2006 04:08 PM - edited ‎03-09-2019 04:25 PM

Hi,

I'm after some feedback on the following configuration.

On an ASA 5520 we have 3 different zones each on separate interfaces and different VLANs. If these were all connected to the same 6504 switch along with the servers would this present a security vulnerability? Would it be better to have each zone connected to an individual switch for security purposes or would an access-list on the 6504 suffice?

Any advice would be most welcome.

Thanks,

Alan

Labels:
0 Helpful
2 Replies 2

andrew.burns
Level 7
Level 7

‎10-05-2006 12:42 AM

Hi,

Best practise dictates that you have each zone on a separate switch, mainly because if the switch was ever compromised (either deliberately or accidentally) then you could simply bypass the firewall altogether.

That said, if you use vlans a lot then you'll be trunking to a switch...

Basically, it's a decision for the security manager (assuming you don't have this explicitly defined in your security policy) and comes down to cost vs. risk vs. practicality. Just make sure you follow all Cisco's published security best practise on the switches!

HTH - plz rate if useful

Andrew.

0 Helpful

ethiel
Level 3
Level 3
In response to andrew.burns

‎10-05-2006 09:47 AM

To add to Andrew's post (he is correct btw), Historically there have been a few "VLAN hopping" exploits that allow a user to jump from one VLAN to another. I know of no current methods as long as you follow best practices, particularly enabling port security and limiting the number of MAC addresses per port. Also, all of the exploits I have known of relied on access to a device on the switch, so an attacker could compromise a web server and then use it to hop to another VLAN.

For these reasons, I always recommend separate switches for each security zone, but I often advise that it is not cost-effective for my smaller clients. I trust that a properly secured switch is not currently a risk, and if you use some host protection such as CSA on at-risk servers, a successful attack would be very unlikely.

As a bare minimum, I like to have 1 external switch if necessary, an inside switch (may be your existing core or other internal switch), and one or more for DMZs. The DMZs usually have multiple VLANs with a trunk to the firewall to allow for more security zones than allowed by the physical ports.

I hope you find this useful,

Eric

0 Helpful
Customers Also Viewed These Support Documents