Re: design issue - vlans or separate hubs on the external interf

simmo · ‎06-26-2002

We are designing a new setup with a PIX515 firewall and failover. One Internal interface with the application servers on; several external interfaces to separate customer networks, connected via fibre or a router connection.

Due to the failover setup, we need to put in a hub or switch between each customers WAN connection and their interface to the PIX. That means we need to purchase 3 hubs, one for each customer. To provide reasonable service, we should make those manageable hubs.

The alternative is to put in a good switch and split it up into 3 vlans. This would be adminstraticely easier all round. Previously I've shyed away from this as I consider the VLANs and Cisco Switch to be a point of lower security, which could be easily (in comparison to the PIX Firewall) be compromised. But I'd like a second opinion.

I would like some feedback from others on what their thoughts are...VLANs or separate hubs?

Thanks.....Mark Simmonds.

rrbleeker · ‎06-27-2002

Mark,

By using VLANs, you rely your security implemtation on a layer 2 solution. I would definately recommend to use seperate hubs/switches. You also should be careful with configuring these hubs/switches for management puposes. Generally you want to keep these boxes as dumb as possible (from a manageability perpective). Allowing remote access or SNMP could result in a compromised switch/hub.

design issue - vlans or separate hubs on the external interfaces