Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DMZ - Best practice

Hi,

I would like to setup a new infrastructure with LAN 1 / LAN 2 / DMZ / WAN.

My question is concerning the DMZ part especially.

I think it is better to have 1 switch for LAN 1 and 2 using VLANs and another physical switch for DMZ.

Does anyone have best practices regarding the usage of another physical switch for DMZ (rather than using VLAN) ?

How can I justify the 2nd switch purchase ?

Thank you

Regards


Eric

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: DMZ - Best practice

emoutarde wrote:

Hi Jon,

Thanks for your answer.

WAN means Internet in my case

DMZ is used for all servers which use Internet : FTP / Web / Proxy...

LAN 1/2 are used for our niternal subsidiary network : DB / DC / Mail...

Currently VLAN 1 is used for workstations, servers, printers and network devices... (This was done by the network admins at the beginning)

I have to find some documents (Best practices...) for me to justify the DMZ config (separate switch) when I will be in front of the management.

Regards

Eric

Have a look at that paper i sent. If everything is on vlan 1 currently that is good enough in my opinion to justify a separate DMZ switch.

In front of management don't blind them with technical talk about vlans etc. just make it clear that with the same switch for both the inside and DMZ all it takes is a misconfiguration or a bug and suddenly the firewall has been bypassed and there is a path from the Internet straight into the network.

If that doesn't get their attention then you're probably not going to win the fight.

Jon

7 REPLIES
Hall of Fame Super Blue

Re: DMZ - Best practice

emoutarde wrote:

Hi,

I would like to setup a new infrastructure with LAN 1 / LAN 2 / DMZ / WAN.

My question is concerning the DMZ part especially.

I think it is better to have 1 switch for LAN 1 and 2 using VLANs and another physical switch for DMZ.

Does anyone have best practices regarding the usage of another physical switch for DMZ (rather than using VLAN) ?

How can I justify the purchase of this 2nd switch ?

Thank you

Regards


Eric

Eric

This is one of those questions to which there is no definitive answer. Using a physical switch will always in my opinion be more secure that using the same switch for both inside and DMZ vlans. Personally it does depend on what is on the outside ie. is it just your WAN or is it the internet.

If the internet then i would always want a separate switch for the outside and ideally a separate switch(es) for the dmz(s). If WAN ie. your own internal users coming in then i would be more relaxed about using a single chassis for the inside/dmz and potentially the outside as well.

If you do use the same chassis for inside/dmz make sure you enable the necessary vlan security features eg. don't use vlan 1 etc. Attached is a link to a doc covering vlan security for the 6500 switch. A lot of what is covered is relevant to all Catalyst switches -

6500 vlan security

Jon

New Member

Re: DMZ - Best practice

Hi Jon,

Thanks for your answer.

WAN means Internet in my case

DMZ is used for all servers which use Internet : FTP / Web / Proxy...

LAN 1/2 are used for our niternal subsidiary network : DB / DC / Mail...

Currently VLAN 1 is used for workstations, servers, printers and network devices... (This was done by the network admins at the beginning)

I have to find some documents (Best practices...) for me to justify the DMZ config (separate switch) when I will be in front of the management.

Regards

Hall of Fame Super Blue

Re: DMZ - Best practice

emoutarde wrote:

Hi Jon,

Thanks for your answer.

WAN means Internet in my case

DMZ is used for all servers which use Internet : FTP / Web / Proxy...

LAN 1/2 are used for our niternal subsidiary network : DB / DC / Mail...

Currently VLAN 1 is used for workstations, servers, printers and network devices... (This was done by the network admins at the beginning)

I have to find some documents (Best practices...) for me to justify the DMZ config (separate switch) when I will be in front of the management.

Regards

Eric

Have a look at that paper i sent. If everything is on vlan 1 currently that is good enough in my opinion to justify a separate DMZ switch.

In front of management don't blind them with technical talk about vlans etc. just make it clear that with the same switch for both the inside and DMZ all it takes is a misconfiguration or a bug and suddenly the firewall has been bypassed and there is a path from the Internet straight into the network.

If that doesn't get their attention then you're probably not going to win the fight.

Jon

Re: DMZ - Best practice

Hi Jon,

Thanks for your answer.

WAN means Internet in my case

DMZ is used for all servers which use Internet : FTP / Web / Proxy...

LAN 1/2 are used for our niternal subsidiary network : DB / DC / Mail...

Currently VLAN 1 is used for workstations, servers, printers and network devices... (This was done by the network admins at the beginning)

I have to find some documents (Best practices...) for me to justify the DMZ config (separate switch) when I will be in front of the management.

Regards

Hi,

Check out the below link for DMZ Design section in networks:-

http://www.issa-ne.org/documents/johnmanning-dmz.pdf

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

Re: DMZ - Best practice

Hi,

You are absolutely correct,

The best practice is to have different physical switch for DMZ , of course you can implement Switch security and disable communication between DMZ  ports and even more, but I recommend having it in different Switch , just because of Hardware failure , you could loose both the LAN and DMZ. having it on seperat Switch will at least make sure a hardware failure of one switch doesnt affect the rest of the Network.

HTH

Mohamed

New Member

Re: DMZ - Best practice

Hi Eric,

The cisco SAFE Architecture is a good place to start.

http://www.cisco.com/en/US/netsol/ns954/index.html

But on a whole,a seperate switch connected to a firewall (IOS Firewall or ASA) means that you can configure

Private VLANs on the switch ports preventing traffic between servers in the DMZ.

Hope this helps

Chris

New Member

Re: DMZ - Best practice

Thank you all

I think I will make it with your advices

Regards

8507
Views
11
Helpful
7
Replies
CreatePlease to create content