I wanted to throw this out there because this was a new one for me. My current company is bringing in the internet connection of the router into the network. Then they have it VLAN'd off and then it goes to a PIX. I've always read VLAN's aren't secure. Has anyone seen this setup or thoughts on it?
It is very simple: VLANs are not secure, were never designed for that purpose, and should not be used in a security context.
It all depends on your requirements though, so if you MUST use it you need to configure the switches and trunkports properly.
There are many things you must think of, including:
* Disable all unused ports and place them in an unused VLAN.
* Never use Vlan 1 for users OR management OR native Vlan.
* Disable trunking mode on all user ports (switchport mode access).
* For backbone switch-to-switch connections, explicitly configure trunking.
* Do not use the user native VLAN as the trunk port native VLAN.
* Always use dedicated VLAN IDs for all trunk ports.
It sounds like the VLAN is being used a layer2 connection, not a security context. There are time when you need a switch between your public and private networks. They created a VLAN, plugged the 'outside' and the PIX into the VLAN. Saves on having another device.
I understand what you are saying. But in my case the PIX and Internet connection are plugged into the same switch that I have desktops plugged into. The VLAN is also being propagated to my other switches via VTP.
Is the "public" vlan the same as the "desktop" VLAN? I'm not saying this is a secure way of providing switching infrastructure, I'm just saying I've seen it done before (we do it with our DMZs). There might be a need to propagate the VLAN out to other switches. I have a customer that uses public IP's directly on the Video Conf equipment and they are all over the campus, so the public VLAN needs to be propagated. It all really depends on your needs.
It is not recommended to have the "outside" public internet carried across your L2 infrastructure. If you have any untrusted hosts connected to your L2 LAN it is difficult to protect against attacks launched from these hoste.
In addition to what I wrote in my previous post, you can also use port security and private vlans to enhance the protection, if you have this setup.
I'm not disputing that it's a major security concern, I'm stating that you do see it in the real world and there reasons why some people do it.