I have a PIX 525 firewall that contains (3) interfaces: Inside, DMZ and Outside. We have problems on occasion with our ISP on the outside interface. It sometimes requires me to insert a hub in between the Outside of the PIX and the ISP so as to use Sniffer. My question concerns the security aspects of creating a VLAN for the outside and DMZ networks. This would allow me to simply assign my PC to the outside VLAN and then I could SPAN the ports.
Physically this would mean plugging the ISP into my Cat4006 along with the DMZ. As long as I have those ports assigned to the VLANs I create, and NOT trunking to them, is there a security risk in doing this?
The neet thing is that if this works I could trunk these VLANs to anywhere on the network. (should I ever to need to). Thus providing the ability to have externally visable web servers physically located anywhere in the building, but on the DMZ or the outside networks. What do you think?
If at all possible, I would avoid using your internal switch for external connectivity as well.
First of all, you would be compromising the job that your firewall provides. Although each VLAN is (by design) secure, you are relying on a piece of technology to provide a service that it was not necessarily designed for.
Also - keep in mind that information such as spanning tree and VTP information could get forwarded to your ISP.
You must take the view that the point that you trust stops at the external port on your firewall. Don't assume that the ISP itself would not be used as a point to launch an attack.
My recommendation would be to utilise a small switch, or (if your budget won't stretch to that), a hub. They'll provide the same functionality without compromising the services your firewall is providing. (of course, you would need additional cabling to carry the "external VLAN" from these external switches to anywhere else in your campus).
We use a Cat6513 with VLANs setup for the DMZ, a segment that contains the internet router & PIX, and several inside VLANs. As long as you have a three port PIX [which you do], plug one into your inside VLAN and one into your DMZ VLAN, and one into your VLAN with your router and as long as you can keep a logical layout of what ports are assigned to what VLAN, you ownt have any problems. You still have the security of your PIX and you have the expandability to anywhere in your building.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :