VLAN hopping is something to worry about:
http://www.sans.org/newlook/resources/IDFAQ/vlan.htm
obviously, high performance switching is expen$ive.
consider the needed throughput of the different segments where the core of
your net may connect up to the gateway/dmz vi a Big CAT[tm] but you could
use a non-vlan capable Smaller(Cheaper) Switch[tm] between the router and
firewall (in the DMZ) to acheve the Air Gap you desire.
-hop
on 2001-12-21 11:12 -0800, Dave Spencer <dspencer@nightfall.forlorn.net> wrote:
>
> It's really a matter of "how much do I trust VLAN separation" and
> "how secure do I need these zones to stay", so if you really want to, I
> could see it acceptible to combine an external network and a DMZ on the
> same physical switch (different VLANs) - but I'd really shy away from
> combining a firewall-external network and a firewall-internal network
> on the same switch. So, given the path you described, that might lead
> to perhaps one switch shared between your external network and your DMZ,
> and another between (firewall<->balancers) and (balancers<->servers)
> networks. Cuts the number of switches in half while hopefully not
> committing any egregious security mistakes.
>
> -Dave
>
--x x . o (( s/[^_0-9a-zA-Z]/42/g )) \___/ ~
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:58 EDT