design/risk

Unanswered Question
Jun 8th, 2010

when designing DMZ we usually put a dedicated L2 switch for connectivity between firewall interfaces and public servers...

and we create vlans in this switch according to DMZ..

what risk can be found if i create these L2 vlans in our collapsed distribution switch (i will not create SVI for these vlans)?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Tue, 06/08/2010 - 04:42

ohassairi wrote:

when designing DMZ we usually put a dedicated L2 switch for connectivity between firewall interfaces and public servers...

and we create vlans in this switch according to DMZ..

what risk can be found if i create these L2 vlans in our collapsed distribution switch (i will not create SVI for these vlans)?

The risk is that a misconfiguration of the distribution switch can lead to the firewall being bypassed. There are also issues with things like vlan-hopping etc.  It all comes down to how secure is it to rely purely on vlans to segregate traffic rather than physical switches.

Personally in a Data centre environment where you may be firewalling from your internal users i have no problems with using a chassis based switch to create the DMZs and if you are using something like the FWSM you end up doing this anyway. With an internet facing setup i don't have an issue with using one chassis for all DMZs but i still would feel uncomfortable using the same chassis for internal vlans as well. That is just my opinion though as i have seen designs where this is done.

If you do decide to do this you shoud follow the best practices for securing your switches ie. don't use vlan 1, if you do use a native vlan then make it a non-routable vlan with no ports allocated into it etc..  If you haven't seen this paper before have a read as a lot of it applies to all Catalyst switches -

http://www.cisco.com/en/US/customer/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml

Using separate switches will, in my opinion, always be more secure but that doesn't mean it is the only way to do it.

Jon

Actions

This Discussion