On Fri, Dec 21, 2001 at 01:25:34PM -0500, Brian DeFeyter wrote:
> On Fri, 2001-12-21 at 12:44, Zhang, Anchi wrote:
> > That is what I have been doing using 6506 and 6509. Some people have
> > advised that the switch with an external and/or DMZ vlan should not have
> > any internal vlan for security reasons and I have followed that advise.
> >
> Yeah, I would agree with that.. I'm mostly looking at the external
> portion for this. If anyone else has any comments, I'd like to hear
> them.
I personally subscribe to the "air gap" school of separate switches for
absolute security ... I know I'll never have enough time to go back and
make sure that nothing has gone wrong with an "oh, it'll be *pretty* secure"
solution. :) In our enterprise network, we have external/DMZ networks
implemented generally on 29xx/35xx 24-port switches before we get fully
inside the firewall to the 4/5/6500s.
It's really a matter of "how much do I trust VLAN separation" and
"how secure do I need these zones to stay", so if you really want to, I
could see it acceptible to combine an external network and a DMZ on the
same physical switch (different VLANs) - but I'd really shy away from
combining a firewall-external network and a firewall-internal network
on the same switch. So, given the path you described, that might lead
to perhaps one switch shared between your external network and your DMZ,
and another between (firewall<->balancers) and (balancers<->servers)
networks. Cuts the number of switches in half while hopefully not
committing any egregious security mistakes.
-Dave
-- Dave Spencer KF6PKU "If USENET is anarchy, IRC is a paranoid dspencer@forlorn.net schizophrenic after 6 days on speed." http://www.forlorn.net/~dspencer/ - Saundo, in the monastery.
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:58 EDT