cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
524
Views
0
Helpful
3
Replies

VLANs for DMZ and Outside Networks

b.hazelbaker
Level 1
Level 1

Networking Newbie question:

I have a PIX 525 firewall that contains (3) interfaces: Inside, DMZ and Outside. We have problems on occasion with our ISP on the outside interface. It sometimes requires me to insert a hub in between the Outside of the PIX and the ISP so as to use Sniffer. My question concerns the security aspects of creating a VLAN for the outside and DMZ networks. This would allow me to simply assign my PC to the outside VLAN and then I could SPAN the ports.

Physically this would mean plugging the ISP into my Cat4006 along with the DMZ. As long as I have those ports assigned to the VLANs I create, and NOT trunking to them, is there a security risk in doing this?

The neet thing is that if this works I could trunk these VLANs to anywhere on the network. (should I ever to need to). Thus providing the ability to have externally visable web servers physically located anywhere in the building, but on the DMZ or the outside networks. What do you think?

Thanks

Brad

3 Replies 3

bcarroll
Level 1
Level 1

Brad,

I was reading recently about hopping vlans to exploit a network. I would avoid the issue. Here is a link that explains some of it.

http://www.sans.org/newlook/resources/IDFAQ/vlan.htm

Brandon

jbaddiley
Level 1
Level 1

If at all possible, I would avoid using your internal switch for external connectivity as well.

First of all, you would be compromising the job that your firewall provides. Although each VLAN is (by design) secure, you are relying on a piece of technology to provide a service that it was not necessarily designed for.

Also - keep in mind that information such as spanning tree and VTP information could get forwarded to your ISP.

You must take the view that the point that you trust stops at the external port on your firewall. Don't assume that the ISP itself would not be used as a point to launch an attack.

My recommendation would be to utilise a small switch, or (if your budget won't stretch to that), a hub. They'll provide the same functionality without compromising the services your firewall is providing. (of course, you would need additional cabling to carry the "external VLAN" from these external switches to anywhere else in your campus).

I hope this helps...

Jono

We use a Cat6513 with VLANs setup for the DMZ, a segment that contains the internet router & PIX, and several inside VLANs. As long as you have a three port PIX [which you do], plug one into your inside VLAN and one into your DMZ VLAN, and one into your VLAN with your router and as long as you can keep a logical layout of what ports are assigned to what VLAN, you ownt have any problems. You still have the security of your PIX and you have the expandability to anywhere in your building.

RobertG...