01-12-2004 08:16 AM - edited 03-09-2019 06:06 AM
Hi,
I am designing a network using the PIX with a DMZ.
i.e Outside, Inside and middle interface ... simple.
For maximum secuirty I understand I should use 3x "seperate" switches. (for physical security!)
For cost, is would be nice to use the same ethernet switch and implement VLANS. i.e vlan1, vlan2 and vlan3.
I have to weigh Cost and Security Risk. Is it a realistic threat that a hacker can jump Vlans by messing with Ethernet/ISL headers ?
All comments are welcome and appreciated. Thanks
Matt C,
01-13-2004 10:41 AM
There was a bug a while ago in Cisco switches that would allow VLAN jumping, but that has been fixed for some time now. Personally, I would never use a VLAN'd switch for the inside, outside, and DMZ. But if you have to, just stay away from using the native vlan on the switch. Keep in mind, you can get 24 port switches for under $1k now.
HTH,
Mike
01-16-2004 04:03 PM
A malicious user can cause frames to hop from one VLAN to another depending on the configuration of the switch. This isn't a bug, but rather the result of the dot1q standard and all vendors have this "problem".
As mentioned, don't use native vlans to carry any traffic, and don't provide any trunked ports to any devices. This will mitigate the concerns with VLANs themselves.
The other problem is that a malicious user in the DMZ or on the Outside can hack at the switch itself to gain admin access. If this happens due to poor security configuration of the switch as a host, the attacker could simply make the port of another device on the switch that was formely in the DMZ/Outside in the inside VLAN giving full access.
The last problem is human errors in configuration have a high risk on creating new problems. With three switches, this isn't a concern as each network segment is both logically and physically separate.
Cisco even has 8 port switches now that are cheap. It's hard to make a arguement these days for using one switch for all three purposes.
01-19-2004 02:02 AM
Thanks for all your help guys.
Your commenets are much appreciated.
02-05-2004 07:21 PM
Just a quick note on the mentioned VLAN hopping security risks mentioned. These are mitigated by shutting down VLAN 1. VLAN hopping uses VLAN 1 to inject packets onto other VLAN's
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide