Physical or VLAN isolation for DMZ networks?

Unanswered Question
Jun 23rd, 2009

Hi all,

This is a topic that has come up for discussion within our team a couple of times during the last few months. I wondered what other people's thoughts were on this subject - whether to use seperate physical hardware or VLANs for the creation and provision of DMZ networks?

I am wondering if this is a matter of 'upbringing'. For example, I started my career in an environment where VLANs were used extensively for isolation of numerous networks of differing security levels so I am quite comfortable with using VLANs for this type of L2 isolation. However, other colleagues are much more comfortable using seperate physical hardware in such situations.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Collin Clark Tue, 06/23/2009 - 06:21

If you ask a security engineer they will say to use separate switches. Ask the person paying for them and they would say use VLAN's. I look at two things; experience of the people who support it (e.g. could they mis-configure and have the DMZ vlan all over the place and open to hosts they shouldn't?) and is a DMZ host located somewhere where a cable won't reach? I have run into places that have a host on the other side campus and having the DMZ on VLANs saved us some work and the customer money.

Hope that helps.

mmacdonald70 Sun, 06/28/2009 - 04:53

It depends on how secure your protected network must be. Any security engineer and most network designers that I have talked to would never use L2 separation for a DMZ.

While the misconfiguation issue is valid, I would be more concerned about malicious attacks. It is quite a trivial thing to hop a vlan.

Again, it depends on the level of security needed and the money that you want to spend


This Discussion