We are moving our servers to a hosting facility and since they are only providing ethernet fiber internet connection, they are recommending to connect the internet fiber to our stacked 3750 switches on the same VLAN as a pair of ASA5510 FW (which does not have fiber interfaces). Another VLAN will be created for our production servers on the same switches. Is this a fairly common practice of physically mixing production servers with Internet on the same stackable switches even though they are separated only by a VLAN?
We have no problem spending 2K for another pair of 8-port fiber switches so we can physically separate the servers from the Internet connection OR we are just being paranoid?
Your expert opinions are earnestly requested... Thanks!
Just to put another point of view to Paolo's and Brad's.
As long as you ensure that the only way to get from the Internet to the servers is via the ASA devices then yes you are relatively secure. But you are still on the same physical infrastructure. And this means it can be easier to introduce holes in your security.
Why ?, because to accidentally move a server in front of the firewall is now a simple configuration change on the switch as opposed to configuration changes and physical repatching.
In addition, lets say your vlan database is accidentally corrupted or worse deleted and all ports default to vlan 1. Now your Internet link is in the same vlan as all your servers without a firewall in between.
You don't mention whether these servers are using private addressing or public addressing. Private addressing would obviously mitigate some of the above although NAT should not be relied on as a security measure.
A lot comes down to how good your change procedures are really as much as anything else. And just as important is what data is on those servers and how detrimental to your company would it be if that data was corrupted or released on the Internet. This is something only you can answer but you need to weigh up the 2K cost of extra switches vs the potential cost of being compromised.
I don't necessarily disagree with Paolo/Brad, but the above are some of the things you should be considering.
Edit - attached is a link to vlan security on the 6500. A lot of it is relevant to vlan security in general.
This all depends upon how important these servers are, ad the risk to your organisation should they be compromised.
You will very probably be OK with them in the same switch, but all it takes is a patching error and you may have an issue.
You can mitigate the risks of a patching error with a bit of good practise - only enable ports tat will be used. Add in static port security, and to cause a problem by patch, it needs to be compounded by a config change.
There have been issues with switches losing their config - fortunately they are few and far between, but it is something that you cannot depend upon not hapenning. All it takes is someone inadvertantly altering the config register and a reload.
I would go for separate switches if possible. I would also harden the outside ones - disable telnet, SNMP etc to reduce the chances of them being compromised in some way.
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...