Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- VLAN's & DMZ's
April 5, 2005, 6:34 pm
rate this thread
I understand that it is considered a less than 'best practice' to use
a few ports in a VLAN-able switch matrix to "logically" isolate a DMZ
from the private network. The better practice is to "physically"
isolate the DMZ by putting it on a completely separate piece of switch
hardware not related to the VLAN-able devices. I've reviewed some
white papers but none have been terribly specific about this. There
is a comment recommending the better practice in my GSEC study
material but no references beyond a year 2000 document alluding to
VLAN Hopping. Can any of you point me to a good source or two that
document good rationale for the better practice? It looks and sounds
perfectly logical to me - but that may not be forceful enough in this
Re: VLAN's & DMZ's
VLANS are *not* security constructs: they are management constructs.
Somewhere about 1996 people saw that they could put ACL's on them and thus
they started treating them as if they were security boundaries.
Ettercap renders all that rot practically meaningless.
However, it is considered to be best practice to implement VLANS of the same
security posture on the same switch. i.e., you don't have a highly secure
VLAN and a less secure VLAN on the same switch, because the lowest common
denominator is the security posture on that device. (in this case, less
Also, physical isolation implies that there will be no communications
between the two conencted networks/devices. The US does this for DoD
networks by having a separate, highly secure classified network (SIPRNET)
and an internet connected (and therefore vulnerable) network called NIPRNET.
These networks are physically separated.
If you want the maximum amount of logical isolation, use packet filters on
the network edge, along with layer 7 aware firewalls. Use IPsec transport
mode to protect hosts on the inside and use L2TP/IPsec for VPN connectivity.
That's about as strong of a DiD approach on a network as current technology
provides. Beyond this, you start talking about extreme physical security,
and other methods...
Re: VLAN's & DMZ's
Steve Clark [MSFT] wrote:
Yes, this is true. Also the DOE and Air Force segment by security
levels...not that I would know or anything ;-)
There is more but, for what he is doing probably overkill...
"Microsoft isn't evil, they just make really crappy operating systems." -