Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Possible security vulnerability?

Hi,

I'm after some feedback on the following configuration.

On an ASA 5520 we have 3 different zones each on separate interfaces and different VLANs. If these were all connected to the same 6504 switch along with the servers would this present a security vulnerability? Would it be better to have each zone connected to an individual switch for security purposes or would an access-list on the 6504 suffice?

Any advice would be most welcome.

Thanks,

Alan

2 REPLIES

Re: Possible security vulnerability?

Hi,

Best practise dictates that you have each zone on a separate switch, mainly because if the switch was ever compromised (either deliberately or accidentally) then you could simply bypass the firewall altogether.

That said, if you use vlans a lot then you'll be trunking to a switch...

Basically, it's a decision for the security manager (assuming you don't have this explicitly defined in your security policy) and comes down to cost vs. risk vs. practicality. Just make sure you follow all Cisco's published security best practise on the switches!

HTH - plz rate if useful

Andrew.

Silver

Re: Possible security vulnerability?

To add to Andrew's post (he is correct btw), Historically there have been a few "VLAN hopping" exploits that allow a user to jump from one VLAN to another. I know of no current methods as long as you follow best practices, particularly enabling port security and limiting the number of MAC addresses per port. Also, all of the exploits I have known of relied on access to a device on the switch, so an attacker could compromise a web server and then use it to hop to another VLAN.

For these reasons, I always recommend separate switches for each security zone, but I often advise that it is not cost-effective for my smaller clients. I trust that a properly secured switch is not currently a risk, and if you use some host protection such as CSA on at-risk servers, a successful attack would be very unlikely.

As a bare minimum, I like to have 1 external switch if necessary, an inside switch (may be your existing core or other internal switch), and one or more for DMZs. The DMZs usually have multiple VLANs with a trunk to the firewall to allow for more security zones than allowed by the physical ports.

I hope you find this useful,

Eric

116
Views
0
Helpful
2
Replies
CreatePlease login to create content