Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
13608
Views
11
Helpful
7
Replies

DMZ - Best practice

Go to solution
emoutarde
Level 1
Level 1

‎05-20-2010 08:08 AM - edited ‎03-06-2019 11:11 AM

Hi,

I would like to setup a new infrastructure with LAN 1 / LAN 2 / DMZ / WAN.

My question is concerning the DMZ part especially.

I think it is better to have 1 switch for LAN 1 and 2 using VLANs and another physical switch for DMZ.

Does anyone have best practices regarding the usage of another physical switch for DMZ (rather than using VLAN) ?

How can I justify the 2nd switch purchase ?

Thank you

Regards


Eric

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to emoutarde

‎05-20-2010 08:57 AM 

emoutarde wrote:
Hi Jon,
Thanks for your answer.
WAN means Internet in my case
DMZ is used for all servers which use Internet : FTP / Web / Proxy...
LAN 1/2 are used for our niternal subsidiary network : DB / DC / Mail...
Currently VLAN 1 is used for workstations, servers, printers and network devices... (This was done by the network admins at the beginning)
I have to find some documents (Best practices...) for me to justify the DMZ config (separate switch) when I will be in front of the management.
Regards

Eric

Have a look at that paper i sent. If everything is on vlan 1 currently that is good enough in my opinion to justify a separate DMZ switch.

In front of management don't blind them with technical talk about vlans etc. just make it clear that with the same switch for both the inside and DMZ all it takes is a misconfiguration or a bug and suddenly the firewall has been bypassed and there is a path from the Internet straight into the network.

If that doesn't get their attention then you're probably not going to win the fight.

Jon

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎05-20-2010 08:18 AM 

emoutarde wrote:
Hi,
I would like to setup a new infrastructure with LAN 1 / LAN 2 / DMZ / WAN.
My question is concerning the DMZ part especially.
I think it is better to have 1 switch for LAN 1 and 2 using VLANs and another physical switch for DMZ.
Does anyone have best practices regarding the usage of another physical switch for DMZ (rather than using VLAN) ?
How can I justify the purchase of this 2nd switch ?
Thank you
Regards

Eric

Eric

This is one of those questions to which there is no definitive answer. Using a physical switch will always in my opinion be more secure that using the same switch for both inside and DMZ vlans. Personally it does depend on what is on the outside ie. is it just your WAN or is it the internet.

If the internet then i would always want a separate switch for the outside and ideally a separate switch(es) for the dmz(s). If WAN ie. your own internal users coming in then i would be more relaxed about using a single chassis for the inside/dmz and potentially the outside as well.

If you do use the same chassis for inside/dmz make sure you enable the necessary vlan security features eg. don't use vlan 1 etc. Attached is a link to a doc covering vlan security for the 6500 switch. A lot of what is covered is relevant to all Catalyst switches -

6500 vlan security

Jon

Go to solution
emoutarde
Level 1
Level 1
In response to Jon Marshall

‎05-20-2010 08:37 AM

Hi Jon,

Thanks for your answer.

WAN means Internet in my case

DMZ is used for all servers which use Internet : FTP / Web / Proxy...

LAN 1/2 are used for our niternal subsidiary network : DB / DC / Mail...

Currently VLAN 1 is used for workstations, servers, printers and network devices... (This was done by the network admins at the beginning)

I have to find some documents (Best practices...) for me to justify the DMZ config (separate switch) when I will be in front of the management.

Regards

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to emoutarde

‎05-20-2010 08:57 AM 

emoutarde wrote:
Hi Jon,
Thanks for your answer.
WAN means Internet in my case
DMZ is used for all servers which use Internet : FTP / Web / Proxy...
LAN 1/2 are used for our niternal subsidiary network : DB / DC / Mail...
Currently VLAN 1 is used for workstations, servers, printers and network devices... (This was done by the network admins at the beginning)
I have to find some documents (Best practices...) for me to justify the DMZ config (separate switch) when I will be in front of the management.
Regards

Eric

Have a look at that paper i sent. If everything is on vlan 1 currently that is good enough in my opinion to justify a separate DMZ switch.

In front of management don't blind them with technical talk about vlans etc. just make it clear that with the same switch for both the inside and DMZ all it takes is a misconfiguration or a bug and suddenly the firewall has been bypassed and there is a path from the Internet straight into the network.

If that doesn't get their attention then you're probably not going to win the fight.

Jon

0 Helpful

Go to solution
Ganesh Hariharan
VIP Alumni
VIP Alumni
In response to emoutarde

‎05-20-2010 10:53 PM 

Hi Jon,
Thanks for your answer.
WAN means Internet in my case
DMZ is used for all servers which use Internet : FTP / Web / Proxy...
LAN 1/2 are used for our niternal subsidiary network : DB / DC / Mail...
Currently
VLAN 1 is used for workstations, servers, printers and network
devices... (This was done by the network admins at the beginning)
I
have to find some documents (Best practices...) for me to justify the
DMZ config (separate switch) when I will be in front of the management.
Regards

Hi,

Check out the below link for DMZ Design section in networks:-

http://www.issa-ne.org/documents/johnmanning-dmz.pdf

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

Go to solution
Mohamed Sobair
Level 7
Level 7

‎05-20-2010 10:41 AM

Hi,

You are absolutely correct,

The best practice is to have different physical switch for DMZ , of course you can implement Switch security and disable communication between DMZ  ports and even more, but I recommend having it in different Switch , just because of Hardware failure , you could loose both the LAN and DMZ. having it on seperat Switch will at least make sure a hardware failure of one switch doesnt affect the rest of the Network.

HTH

Mohamed

Go to solution
chris.rae07
Level 1
Level 1

‎05-20-2010 08:23 PM

Hi Eric,

The cisco SAFE Architecture is a good place to start.

http://www.cisco.com/en/US/netsol/ns954/index.html

But on a whole,a seperate switch connected to a firewall (IOS Firewall or ASA) means that you can configure

Private VLANs on the switch ports preventing traffic between servers in the DMZ.

Hope this helps

Chris

Go to solution
emoutarde
Level 1
Level 1
In response to chris.rae07

‎05-21-2010 05:10 AM

Thank you all

I think I will make it with your advices

Regards

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card