I have Internet connections coming into a public network switch, with NOTHING but public IPs vlan'ed out to different tenants. Essentially this install is providing Internet access to different firewalled LANs, or tenants.
I'm in a situation were I'm being directed to take one of the of those firewalled/private LAN and connected it back into my public switch via layer 2 trucking and ACLs managing traffic on those ports tying the private LAN connections together. So, a connection behind a firewall, protected by a firewall, is connected back into the public Internet switch, then trunked down to a private switch with servers.
Can it be done, obviously, and do I know how to do it, and do I understand hardening at each point, yes I do. I'm not looking for a how-to but more what other engineers thoughts are on this risk, and (I guess) my name being associated with the configuration.
Just to clarify are you saying that for one of the LANs behind the firewall you are going to be bypassing the firewall and relying on acls instead ?
Sorry to ask another question but when you say public and private networks are you talking about the IP addressing ?
If so I assume the firewall(s) currently handle the NAT so where would it be done if you bypass the firewall ie. assuming a Cisco switch, most cannot do NAT unless of course you are using a 6500 switch.
All those VLANs are public Internet connections to tenants with their own public /30. That connects to their FW and they manage their own LAN behind it. The one tenant/Vlan in question is, VlanC and it's private side circled in red.
VlanC is the tenant public/Internet connection to their FW, then the inside LAN is behind the FW to a LAN switch, that LAN switch is connected back to the public switch, with a separate Vlan that also has another connection connecting another private LAN switch (on the same subnet/network), then on to private servers.
The whole red circled path is using the FW for any NATs.
So, that private LAN traffic transverses the WAN switch, where Publilc traffic is.
That is a crude drawing and shows none of the redundancy.
Okay think I follow now.
So you are simply connecting two private LANs for the same tenant together but via the public switch which is on the other side of the firewall.
In which case it comes down to how secure are vlans at segregating traffic and the answer depends on who you ask :)
But if I understand correctly no one from the internet can route to the private LANs because they are on private IPs so they would still have to go via the public IPs which means they would have to go via the firewall.
In which case I would personally not worry too much as the only risk I can see is if the switch itself is compromised which is unlikely I would have thought.
If I have misread the diagram then by all means clarify.
Thanks for the replies Jon. It's not really two private LANs it would be the same LAN using the public switch for more switch ports.
And yes, the LAN in question would go through the FW for any public access/NAT.
I would do everything to keep the switch from being compromised of course since it's directly on the Internet. But in the event it was ever compromised each public Vlan could lose connectivity or some other malicious situation, but every single one of those private LANs data would be protected by their own firewalls and this one Vlan would be passing unprotected and unencrypted data across the compromised switch.
To me that seems like enough of a risk that an engineer would not design this in a customer's network. It also seems that no customer would want their unencrypted private data flowing across a public switch connected directly to the Internet.
I always ask myself if I would do that to my own network/data. In this case I would not. Would you?
Yes if the switch was compromised the data is not being protected by a firewall.
And personally speaking I would not design it this way if given the choice and if you have the choice then I would say don't do it.
But then you don't always have the choice so asking yourself whether you would do it or not is sometimes irrelevant.