[DISCUSS] security implications of dmz and vlan

[Darrin Chandler]

On Thu, Feb 01, 2007 at 11:34:53PM -0700, Joseph Sinclair wrote:
> The Cisco 4506 is a seriously capable switch system.  Your VLAN setup on that unit will be well segregated.
> The tricky part is getting the VLAN's talking to each other, but ONLY through the tunnels you establish (so an attacker cannot easily compromise everything just by getting into the DMZ).
> 
> The way I would /usually/ do this is to set up everything to allow access to the CISCO firewall (or preferably some other internal router), then set up the router/firewall to route traffic from certain machines on certain ports to certain other machines on certain other ports (or from an internal network, say for desktops, to the firewall/internet).
> Since the 4506 is a router itself you can set up the cross-VLAN links in the switch if you choose, although that's not always the most secure choice.

Yes, I think an outside firewall/router makes the most sense here. Let
the seriously capable switch be seriously capable at separating the
VLANS and let the router do the routing. I, too, would prefer another
router than the edge router for this job. A fairly cheap machine
(repurposed?) with high quality NICs can route a LOT of packets.

The whole idea here being to keep the simple parts separate and simple,
rather then combining them into something more complex and prone to
error. Do everything on the 4506 and a fat-fingered config can leave you
in a bad way.

-- 
Darrin Chandler                   |  Phoenix BSD Users Group
dwchandler at stilyagin.com          |  http://bsd.phoenix.az.us/
http://www.stilyagin.com/darrin/  |