Delurking for this one. VLANs within a switching fabric should not usually be trusted as secure separation devices between zones of trust. While most of the known vlan hopping/smashing mechanisms depend on items that can be handled with appropriate switch configuration, the possibility/probability of unknown ones (how many IOS vulnerabilities have appeared in last few months?) should give one pause in doing so. In reality, I'm uncertain what you are trying to accomplish - your physically separate switches with fw performing access control and routing seems more secure - so I'll stick with finishing the VLAN question for now. Cisco has some good info on locking down their switches, and of course looking up the Yersinia vlan hopping tool papers and their recommendations can help to lock down the switches to the point where you can somewhat "trust" them to do what you are asking. The gist will be that you have to explicitly configure every single port on the switch (some commands can be run once for all ports, some can't) to be host ports not trunk ports, and turn off all unnecessary dynamic services (where have we heard that refrain :-) like dynamic trunking protcol, cdp, vtp, etc. Side note: Outside and DMZ are in similar zones of trust, the latter slightly more protected. Inside is completely different zone of trust. My take is if possible to group not just layer 3 but layer 2 for separation, because you don't know what you don't know. Randy Melder wrote: > Your VLANs are supposed to be on different subnets, so the setup seems > legit. I don't know of any Layer 2 holes under this scenario. Now the > issue is ACLs in your FW/Router. Are they tight? Layer 3 is where you're > going to have all your security issues. > > On 1/31/07, *Darrin Chandler* > wrote: > > On Wed, Jan 31, 2007 at 05:38:44PM -0600, JT Moree wrote: > > Does anyone know enough about VLANs on a Cisco Catalyst 4506 > switch to explain > > the security implications of this setup: > > > > 2 VLANs > > VLAN 1 - internal servers > > VLAN 2 - DMZ > > > > Given that the dmz is to keep the dmz servers separated from the > internal > > network would this be a secure setup? Are there any holes in the > VLAN > > architecture that would make this a BAD idea? > > > > One caveat. right now we have a cisco firewall which routes > between two > > different switches for dmz and internal. I realize a breach in > cisco security > > would be a problem in BOTH situations. > > Seems that you already understand the issues. ;) The VLAN stuff > *should* be > fine, really. > > But how are you going to route stuff between the VLANs? Still need a > router after all? > > -- > Darrin Chandler | Phoenix BSD Users Group --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss