[DISCUSS] security implications of dmz and vlan

Joseph Sinclair plug-discussion at stcaz.net
Thu Feb 1 23:34:53 MST 2007 

The Cisco 4506 is a seriously capable switch system.  Your VLAN setup on that unit will be well segregated.
The tricky part is getting the VLAN's talking to each other, but ONLY through the tunnels you establish (so an attacker cannot easily compromise everything just by getting into the DMZ).

The way I would /usually/ do this is to set up everything to allow access to the CISCO firewall (or preferably some other internal router), then set up the router/firewall to route traffic from certain machines on certain ports to certain other machines on certain other ports (or from an internal network, say for desktops, to the firewall/internet).
Since the 4506 is a router itself you can set up the cross-VLAN links in the switch if you choose, although that's not always the most secure choice.

An example:

VLAN 1:
Router (or firewall if no other router available)

VLAN 2 (DMZ):
DNS (why is this in the DMZ??  I would usually put this in VLAN 4)
Web
Other external services (SMTP bridgehead, VPN, etc...)

VLAN 3 (services):
Database servers
Web storage
Etc...

VLAN 4 (Internal):
User File servers
Directory/LDAP/Kerberos servers
Internal Applications
Internal Databases

VLAN 5 (Users):
Corporate Desktops

Communications Rules:
VLAN 1:
Firewall is permitted to connect to VLAN 2/DNS via port xxx (DNS ports)
Firewall is permitted to connect to VLAN 2/Web via ports 80 and 443
Firewall is permitted to connect to VLAN 2/SMTP via port 22 (for example)
Etc...

VLAN 2:
Web is permitted to connect to VLAN 4/(e.g. LDAP) via port xxx (LDAP TLS port)
Web is permitted to connect to VLAN 3/Database via port xxx (Database port)
Web is permitted to connect to VLAN 3/Web Storage via port xxx (iSCSI ports)
Etc...

VLAN 3:
All permitted to connect to VLAN 4/(e.g. LDAP) via port xxx (LDAP TLS port)
All permitted to connect to VLAN 2/(DNS) via port xxx (DNS ports)

VLAN 4:
All permitted to connect to VLAN 2/(DNS) via port xxx (DNS ports)

VLAN 5:
All machines can connect to VLAN 4 servers on ports (x,y,z,etc...) (as needed for services
All permitted to connect to VLAN 2/(DNS) via port xxx (DNS ports) (again, why isn't this in VLAN 4?)
All permitted to connect to VLAN 1/Firewall via ports 80 and 443 (route to external web services)
All permitted to connect to VLAN 2/Web via ports 80 and 443 (Intranet)

The rules are incomplete, but they're enough to get the idea.

JT Moree wrote:
> JT Moree wrote:
>>> Does anyone know enough about VLANs on a Cisco Catalyst 4506 switch to explain
>>> the security implications of this setup:
> 
> More info to throw around and some answers to half posed questions . . .
> 
> No money is allocated to do anything new (except maybe gigabit NICS in a
> few servers).  We want to maximize use of the equipment that we have.
> 
> We have multiple 100M switches but one is failing.  Since we can't keep
> using it and none of the other switches are gigabit (to my knowledge) we
> want to use the CISCO gigabit switch for as many servers as possible.
> Right now the backup servers are using it to sync with each other.
> 
> The thing is huge.  It's got 3 banks of 32 ports.  We've got 17+ dmz
> servers and a handful of internal servers.
> 
> The DNS and web servers are in the DMZ so yes the internal network needs
> to get to them.
> 
> The backup servers also need to get to them.
> 
> There is a cisco firewall somewhere connecting the networks and the 'net.
> 
> it seems the popular consensus is
>   don't use VLANS that talk to each other if it can be avoided.
> 
> --
> JT Morýe
> PC Xperience, Inc.

More information about the PLUG-discuss mailing list