This sounds like it's only a concern on multiple switch setups using
trunks for VLAN communication? In my example, everything is routed
through one switch... probably bypassing this problem.
- bdf
On Sat, 2001-12-22 at 08:41, dan hopkins wrote:
>
> VLAN hopping is something to worry about:
> http://www.sans.org/newlook/resources/IDFAQ/vlan.htm
>
> obviously, high performance switching is expen$ive.
> consider the needed throughput of the different segments where the core of
> your net may connect up to the gateway/dmz vi a Big CAT[tm] but you could
> use a non-vlan capable Smaller(Cheaper) Switch[tm] between the router and
> firewall (in the DMZ) to acheve the Air Gap you desire.
>
> -hop
>
> on 2001-12-21 11:12 -0800, Dave Spencer <dspencer@nightfall.forlorn.net> wrote:
> >
> > It's really a matter of "how much do I trust VLAN separation" and
> > "how secure do I need these zones to stay", so if you really want to, I
> > could see it acceptible to combine an external network and a DMZ on the
> > same physical switch (different VLANs) - but I'd really shy away from
> > combining a firewall-external network and a firewall-internal network
> > on the same switch. So, given the path you described, that might lead
> > to perhaps one switch shared between your external network and your DMZ,
> > and another between (firewall<->balancers) and (balancers<->servers)
> > networks. Cuts the number of switches in half while hopefully not
> > committing any egregious security mistakes.
> >
> > -Dave
> >
>
> --
>
> x x . o (( s/[^_0-9a-zA-Z]/42/g ))
> \___/
> ~
>
>
>
>
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:26 EDT