07-18-2007 05:46 AM - edited 03-09-2019 06:24 PM
I wanted to throw this out there because this was a new one for me. My current company is bringing in the internet connection of the router into the network. Then they have it VLAN'd off and then it goes to a PIX. I've always read VLAN's aren't secure. Has anyone seen this setup or thoughts on it?
07-18-2007 06:08 AM
It is very simple: VLANs are not secure, were never designed for that purpose, and should not be used in a security context.
It all depends on your requirements though, so if you MUST use it you need to configure the switches and trunkports properly.
07-18-2007 06:22 AM
What do you mean by configured properly? Using ACL's?
07-18-2007 06:32 AM
There are many things you must think of, including:
* Disable all unused ports and place them in an unused VLAN.
* Never use Vlan 1 for users OR management OR native Vlan.
* Disable trunking mode on all user ports (switchport mode access).
* For backbone switch-to-switch connections, explicitly configure trunking.
* Do not use the user native VLAN as the trunk port native VLAN.
* Always use dedicated VLAN IDs for all trunk ports.
07-18-2007 08:10 AM
It sounds like the VLAN is being used a layer2 connection, not a security context. There are time when you need a switch between your public and private networks. They created a VLAN, plugged the 'outside' and the PIX into the VLAN. Saves on having another device.
07-19-2007 05:29 AM
I understand what you are saying. But in my case the PIX and Internet connection are plugged into the same switch that I have desktops plugged into. The VLAN is also being propagated to my other switches via VTP.
07-19-2007 05:42 AM
Is the "public" vlan the same as the "desktop" VLAN? I'm not saying this is a secure way of providing switching infrastructure, I'm just saying I've seen it done before (we do it with our DMZs). There might be a need to propagate the VLAN out to other switches. I have a customer that uses public IP's directly on the Video Conf equipment and they are all over the campus, so the public VLAN needs to be propagated. It all really depends on your needs.
07-19-2007 06:01 AM
It is not recommended to have the "outside" public internet carried across your L2 infrastructure. If you have any untrusted hosts connected to your L2 LAN it is difficult to protect against attacks launched from these hoste.
In addition to what I wrote in my previous post, you can also use port security and private vlans to enhance the protection, if you have this setup.
07-19-2007 06:17 AM
I'm not disputing that it's a major security concern, I'm stating that you do see it in the real world and there reasons why some people do it.
07-19-2007 06:23 AM
I've never seen this setup before. The only reason I could think of doing it this way would be to save equipment costs...
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: