Internet and servers on the same switch?

maxelopre · ‎05-14-2008

Is this a normal and secured practice?

We are moving our servers to a hosting facility and since they are only providing ethernet fiber internet connection, they are recommending to connect the internet fiber to our stacked 3750 switches on the same VLAN as a pair of ASA5510 FW (which does not have fiber interfaces). Another VLAN will be created for our production servers on the same switches. Is this a fairly common practice of physically mixing production servers with Internet on the same stackable switches even though they are separated only by a VLAN?

We have no problem spending 2K for another pair of 8-port fiber switches so we can physically separate the servers from the Internet connection OR we are just being paranoid?

Your expert opinions are earnestly requested... Thanks!

paolo bevilacqua · ‎05-14-2008

You are just paranoid, friendly said :)

bmcginn · ‎05-14-2008

Mate, the setup you mentioned sounds secure enough to me.. I think you may be a tad paranoid. No slight intended :)

Jon Marshall · ‎05-14-2008

Just to put another point of view to Paolo's and Brad's.

As long as you ensure that the only way to get from the Internet to the servers is via the ASA devices then yes you are relatively secure. But you are still on the same physical infrastructure. And this means it can be easier to introduce holes in your security.

Why ?, because to accidentally move a server in front of the firewall is now a simple configuration change on the switch as opposed to configuration changes and physical repatching.

In addition, lets say your vlan database is accidentally corrupted or worse deleted and all ports default to vlan 1. Now your Internet link is in the same vlan as all your servers without a firewall in between.

You don't mention whether these servers are using private addressing or public addressing. Private addressing would obviously mitigate some of the above although NAT should not be relied on as a security measure.

A lot comes down to how good your change procedures are really as much as anything else. And just as important is what data is on those servers and how detrimental to your company would it be if that data was corrupted or released on the Internet. This is something only you can answer but you need to weigh up the 2K cost of extra switches vs the potential cost of being compromised.

I don't necessarily disagree with Paolo/Brad, but the above are some of the things you should be considering.

Edit - attached is a link to vlan security on the 6500. A lot of it is relevant to vlan security in general.

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml

Jon

paul.matthews · ‎05-14-2008

I sit more on the Jon side of the fence!

This all depends upon how important these servers are, ad the risk to your organisation should they be compromised.

You will very probably be OK with them in the same switch, but all it takes is a patching error and you may have an issue.

You can mitigate the risks of a patching error with a bit of good practise - only enable ports tat will be used. Add in static port security, and to cause a problem by patch, it needs to be compounded by a config change.

There have been issues with switches losing their config - fortunately they are few and far between, but it is something that you cannot depend upon not hapenning. All it takes is someone inadvertantly altering the config register and a reload.

I would go for separate switches if possible. I would also harden the outside ones - disable telnet, SNMP etc to reduce the chances of them being compromised in some way.

Paul.

Danilo Dy · ‎05-15-2008

Hi,

In addition to Paolo, Brad, Jon, and Paul's replies.

If you are going ahead with a single switch and you are assigning IP address to the switch for management and syslog purposes, make sure its not in the internet VLAN.

Regards,

Dandy