Re: Physical or VLAN isolation for DMZ networks?

egl.davidfarrell · ‎06-23-2009

Hi all,

This is a topic that has come up for discussion within our team a couple of times during the last few months. I wondered what other people's thoughts were on this subject - whether to use seperate physical hardware or VLANs for the creation and provision of DMZ networks?

I am wondering if this is a matter of 'upbringing'. For example, I started my career in an environment where VLANs were used extensively for isolation of numerous networks of differing security levels so I am quite comfortable with using VLANs for this type of L2 isolation. However, other colleagues are much more comfortable using seperate physical hardware in such situations.

Regards,

David.

Collin Clark · ‎06-23-2009

If you ask a security engineer they will say to use separate switches. Ask the person paying for them and they would say use VLAN's. I look at two things; experience of the people who support it (e.g. could they mis-configure and have the DMZ vlan all over the place and open to hosts they shouldn't?) and is a DMZ host located somewhere where a cable won't reach? I have run into places that have a host on the other side campus and having the DMZ on VLANs saved us some work and the customer money.

Hope that helps.

mmacdonald70 · ‎06-28-2009

It depends on how secure your protected network must be. Any security engineer and most network designers that I have talked to would never use L2 separation for a DMZ.

While the misconfiguation issue is valid, I would be more concerned about malicious attacks. It is quite a trivial thing to hop a vlan.

Again, it depends on the level of security needed and the money that you want to spend