DMZ and Vlans

Answered Question

I have a 3 interface pix 515. The DMZ interface has one old switch attached to it keeping it separate from the rest of my network. If I was to create a vlan for it and attach it to my 6509 instead, so I can use DMZ vlaned ports on other switches throughout my network, are there additional security issues I need to be aware of?

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 9 years 7 months ago

Hi

I agree with what the other posters have said but you do need to be careful with vlan hoppong / tagging. As you are using a blade system you will have a trunk between your blade chassis switches and the 6500's. A compromised client does not need to have it's NIC on a trunk port to compromise your internal network.

Attached is a a link to a very useful doc about Vlan security from Cisco.

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml

Overall as the others have said you can mitigate against these problems. One less technical issue is that you must also have very good change procedures in place. Because you are now using the same switches for internal and external traffic a slight mistake in the configuration can cause problems.

HTH

Jon

Correct Answer by sundar.palaniappan about 9 years 7 months ago

Daniel,

Actually, there are ways to mitigate the possible issues that we had brought up in the previous posts.

Broadcast Storms - Use storm control to suppress any excessive broadcasts.

ARP/MAC Spoofing - Configure switchport port security to prevent spoofed MAC addresses.

Vlan Hopping - i believe it only comes into play on trunk ports and hence, this issue is highly unlikely to happen in your setup as the servers ports are probably access ports.

IMO, you can connect all the servers to the same card in the switch. Take all measures to secure the DMZ vlan from not only causing any disruptions to other vlans but between the devices in the DMZ vlan itself. You might want to consider using private vlans aka PVLANs or protected ports to mitigate the effects of one compromised server on the DMZ vlan from affecting the other one in the same vlan.

HTH

Sundar

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (7 ratings)
Loading.
vitripat Fri, 02/23/2007 - 13:32

In such cases you generally need to take care of attacks at layer 2. Like VLAN hopping attacks, ARP spoof attacks etc .. As far as PIX stands, DMZ zone will still have same restrictions as it had earlier.

Given that switch is configured to prevent any layer 2 attacks (mainly VLAN hopping), there shouldnt be any issues.

Regards,

Vibhor.

sundar.palaniappan Fri, 02/23/2007 - 13:44

In addition to what Vibhor stated, the thing that I would consider more dangerous is broadcast storms.

If a host on the DMZ vlan is compromised and if it starts generating huge amount of broadcasts, the switches would have to forward the broadcasts out all DMZ vlan ports + trunk ports. This could create some serious problems as the trunks might get saturated with this malicious broadcast traffic and I have seen quite a few situations where the network was brought down to it knees because of excessive broadcasts.

If you can, you should physically separate DMZ from the inside network.

HTH

Sundar

I have gotten 2 great posts to this question so far, thank you much.

The problem I am trying to address is related to a new blade server rack. I need to put 2 of 8 servers on 1 enclosure on the DMZ, the rest need to be on my inside network. They are HP BL20p; the network switches on the enclosure are Cisco 371098-001. Are there any better solutions to making these available on the DMZ? I do not think I can make a whole shelf available just for my DMZ at this point. My Mars IPS system install is still some time away, so I really do not have good protection in place for those kind of attacks.

Correct Answer
sundar.palaniappan Fri, 02/23/2007 - 15:58

Daniel,

Actually, there are ways to mitigate the possible issues that we had brought up in the previous posts.

Broadcast Storms - Use storm control to suppress any excessive broadcasts.

ARP/MAC Spoofing - Configure switchport port security to prevent spoofed MAC addresses.

Vlan Hopping - i believe it only comes into play on trunk ports and hence, this issue is highly unlikely to happen in your setup as the servers ports are probably access ports.

IMO, you can connect all the servers to the same card in the switch. Take all measures to secure the DMZ vlan from not only causing any disruptions to other vlans but between the devices in the DMZ vlan itself. You might want to consider using private vlans aka PVLANs or protected ports to mitigate the effects of one compromised server on the DMZ vlan from affecting the other one in the same vlan.

HTH

Sundar

wilson_1234_2 Sat, 04/12/2008 - 10:11

Sundar,

can you explain this as far as the switch forwarding all trffic out all vlan ports?

You are talking about all ports in the same vlan correct?

And not across vlans

Jon Marshall Sat, 04/12/2008 - 10:50

Richard

Not across vlans but it is important to realise that trunk links do no guarantee bandwidth to any of it's vlans. So if a machine in the DMZ vlan began a broadcast storm and that vlan was extended to other switches via trunk links there is a very good chance as Sundar says that the trunk link could get flooded which would have a knock on effect to all the other vlans trunked across the link.

Jon

sundar.palaniappan Sat, 04/12/2008 - 14:46

Richard,

Jon has explained it well.

Your understanding is correct about the broadcasts staying within the same VLAN. However, trunk carries traffic for all VLANs, including the affected VLAN, and therefore excessive broadcasts/traffic generated by one host in a VLAN could saturate the trunk and would end up affecting users in other VLANs as well.

HTH

Sundar

wilson_1234_2 Sat, 04/12/2008 - 18:23

Sundar,

I didn't forget about the other post, but could not get to it today.

I will try tomorrow to get your input.

I have a link to our DR site bridging a couple of subnets across a DS3 in addition to several routed subnets.

On the DR side, I need to migrate this to another router, while keeping the voice config on the router currently in place.

I just wanted to get you take on this.

Correct Answer
Jon Marshall Sat, 02/24/2007 - 02:20

Hi

I agree with what the other posters have said but you do need to be careful with vlan hoppong / tagging. As you are using a blade system you will have a trunk between your blade chassis switches and the 6500's. A compromised client does not need to have it's NIC on a trunk port to compromise your internal network.

Attached is a a link to a very useful doc about Vlan security from Cisco.

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml

Overall as the others have said you can mitigate against these problems. One less technical issue is that you must also have very good change procedures in place. Because you are now using the same switches for internal and external traffic a slight mistake in the configuration can cause problems.

HTH

Jon

Actions

This Discussion