Re: VLAN security

mmalitsky · ‎12-28-2005

In my data center, I have a need for multiple logical LANs - one to connect the routers on the private side of the firewall, one to connect the routers on the DMZ side of the firewall, one to connect the active and standby firewalls, etc. I have been using a Cat4000 segmented into VLANs instead of multiple physical switches. A potential concern is that DMZ and private side VLANs (public side is completely isolated) are coexisting on the same device, and could somehow be bridged. Is this concern valid? Could the VLAN configuration be enhanced to alleviate the concerns or is multiple devices the only way? I am about to migrate from the Cat4000 to a 6509 and want to set it up correctly the first time.

Thanks

johansens · ‎12-29-2005

As long as you have total control over all directly connected units and at least configured your switch correctly for all the connected interfaces, there should not be any problems with this.

The only feasible way to attack a 'pure' switch is by manipulating the frames sent from a host to attain a higher level of trust in a badly configured switch.

Of course if you are totally paranoid the most secure is of course to separate the DMZ's (including outside towards the internet) in separate switches... I know many does this also because of ease... Many uses a hub in front to allow for easy sniffing/checking of the internet-traffic.. the 6509 has support for monitor-sessions (but only a very limited number) but it's sometimes a hassle to do the right allocations (especially if you have a large network and many supporting engineers working)..

All in all I would say, it's safe in principle, but take care to configure your switch and supporting layer3 units correctly to avoid security-breaches.. :)

Did it help?