security design

Unanswered Question
Mar 3rd, 2009

Hello

what is the best practice for a security design, the use of independant switch for every DMZ or use a single core switch, with high performance and density of ports and i segment it with vlan for every dmz???

thank

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JamesLuther Tue, 03/03/2009 - 04:58

Hello,

This very much depends on the security ploicy of your company. Many years ago it was common to have a seperate switch for each DMZ and if you're paranoid and have deep pockets then you can still do this.

It is now common to just use a central switch infrastructure and seperate DMZs with VLANs.

When building DMZ switches then here are some ideas to keep it secure

1) Make it a security policy that all VLANs on the switch are layer2. This stops accidentally routing between VLANs

2)You can put your management VLAN interface into a seperate VRF

3) Ensure your native VLAN on trunks goes into an unused VLAN (to stop VLAN hopping).

Plus all the standard password and access control security. You can check this URL for some more ideas

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml

Regards

Actions

This Discussion