10-03-2006 07:29 AM - edited 03-09-2019 04:23 PM
Hi friends,
A PIX 515E with 7.0(5) has been installed, interfaces being 1 Inside + 1 outside.
My question is if clients and server are connected to inside interface, how do I protect the internal server from attacks by internal clients?
Do i need to place the server in the DMZ? Since I dont have enough physical interfaces, can I create a DMZ by creating a logical interface / VLAN?
The clients, server and inside interface of a firewall are connected to a single Catalyst 2950 switch running IOS.
The client and server are in the same IP subnet as well.
Thanks a lot
Gautam
10-03-2006 07:37 AM
If both are one the same physical interface you cannot protect your inside server without placing it at least on a VLAN. The traffic goes directly from the client to the server without beeing inspected by the Firewall.
Note that a VLAN is not as save as a physical interface,it is possible to craft packets or to sniff VLANs, but is still better to have VLANs than no control at all.
sincerely
Patrick
10-03-2006 08:07 AM
A better option would be to purchase a single interface FastEthernet card for your DMZ. Then you can do everything as stated above without the slight security issues posed by the crafted packets....
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide