Your VLANs are supposed to be on different subnets, so the setup seems legit. I don't know of any Layer 2 holes under this scenario. Now the issue is ACLs in your FW/Router. Are they tight? Layer 3 is where you're going to have all your security issues.
On 1/31/07, Darrin Chandler <dwchandler@stilyagin.com> wrote:
On Wed, Jan 31, 2007 at 05:38:44PM -0600, JT Moree wrote:
> Does anyone know enough about VLANs on a Cisco Catalyst 4506 switch to explain
> the security implications of this setup:
>
> 2 VLANs
> VLAN 1 - internal servers
> VLAN 2 - DMZ
>
> Given that the dmz is to keep the dmz servers separated from the internal
> network would this be a secure setup? Are there any holes in the VLAN
> architecture that would make this a BAD idea?
>
> One caveat. right now we have a cisco firewall which routes between two
> different switches for dmz and internal. I realize a breach in cisco security
> would be a problem in BOTH situations.
Seems that you already understand the issues. ;) The VLAN stuff *should* be
fine, really.
But how are you going to route stuff between the VLANs? Still need a
router after all?
--
Darrin Chandler | Phoenix BSD Users Group
dwchandler@stilyagin.com | http://bsd.phoenix.az.us/
http://www.stilyagin.com/darrin/ |
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
--
http://spindomains.us/