Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
524
Views
0
Helpful
3
Replies

VLANs for DMZ and Outside Networks

b.hazelbaker
Level 1
Level 1

‎04-24-2002 07:54 AM - edited ‎03-08-2019 10:25 PM

Networking Newbie question:

I have a PIX 525 firewall that contains (3) interfaces: Inside, DMZ and Outside. We have problems on occasion with our ISP on the outside interface. It sometimes requires me to insert a hub in between the Outside of the PIX and the ISP so as to use Sniffer. My question concerns the security aspects of creating a VLAN for the outside and DMZ networks. This would allow me to simply assign my PC to the outside VLAN and then I could SPAN the ports.

Physically this would mean plugging the ISP into my Cat4006 along with the DMZ. As long as I have those ports assigned to the VLANs I create, and NOT trunking to them, is there a security risk in doing this?

The neet thing is that if this works I could trunk these VLANs to anywhere on the network. (should I ever to need to). Thus providing the ability to have externally visable web servers physically located anywhere in the building, but on the DMZ or the outside networks. What do you think?

Thanks

Brad

Labels:
0 Helpful
3 Replies 3

bcarroll
Level 1
Level 1

‎04-26-2002 06:37 AM

Brad,

I was reading recently about hopping vlans to exploit a network. I would avoid the issue. Here is a link that explains some of it.

http://www.sans.org/newlook/resources/IDFAQ/vlan.htm

Brandon

0 Helpful

jbaddiley
Level 1
Level 1

‎05-20-2002 09:09 AM

If at all possible, I would avoid using your internal switch for external connectivity as well.

First of all, you would be compromising the job that your firewall provides. Although each VLAN is (by design) secure, you are relying on a piece of technology to provide a service that it was not necessarily designed for.

Also - keep in mind that information such as spanning tree and VTP information could get forwarded to your ISP.

You must take the view that the point that you trust stops at the external port on your firewall. Don't assume that the ISP itself would not be used as a point to launch an attack.

My recommendation would be to utilise a small switch, or (if your budget won't stretch to that), a hub. They'll provide the same functionality without compromising the services your firewall is providing. (of course, you would need additional cabling to carry the "external VLAN" from these external switches to anywhere else in your campus).

I hope this helps...

Jono

0 Helpful

robertgile
Level 1
Level 1
In response to jbaddiley

‎05-20-2002 09:31 AM

We use a Cat6513 with VLANs setup for the DMZ, a segment that contains the internet router & PIX, and several inside VLANs. As long as you have a three port PIX [which you do], plug one into your inside VLAN and one into your DMZ VLAN, and one into your VLAN with your router and as long as you can keep a logical layout of what ports are assigned to what VLAN, you ownt have any problems. You still have the security of your PIX and you have the expandability to anywhere in your building.

RobertG...

0 Helpful
Customers Also Viewed These Support Documents