Vlan Dmz...

[DerekK]

Hi all, I would like collect opinions about mix Internal LAN ports and public DMZ ports in a same switch using VLANs. I mean, configure i.e. 1 to 12 port in one VLAN and the rest in another, and then connect the first VLAN to a the internal net (one of the firewall interfaces) and the other VLAN to the DMZ net (another interface of the firewall).

Am I then trusting too much in the VLAN security? Or it doesn't matter because is not in network layer and is not exploitable?

Any though?

Thank you!

[JP]

Greetings:

This would be a perfectly secure solution if you're using something like a managed switch from Cisco. You can control traffic flow between the vlans, or limit flow between the two entirely. AntiOnline and its associated honeypots used a similar setup back when I still owned it.

If it's a device other than a Cisco, you'd have to evaluate the platform first. Some devices have what they say are "vlans", but are not truly "vlans" in the sense that you and I are referring to them.

Of course, another solution would be to get a second interface in the router, and configure traffic flow from there. This is how AntiOnline would divert traffic to its wargame labs. If your vlans will be getting a ton of traffic, or if you want to have an extensive rule set, I'd recommend going the router route (heh).

[DerekK]

Yes, it's true, I forgot to mention that we are using 3com here. I was thinking in a 3com 4400 or something like that. All the servers I was thinking to connect this switch don't have really heavy traffic, web servers, ftp, some app server. The only thing is there is couple of NBL clusters that have to maintain heartbeat between them.

So, I will do the following, tell me if you found something wrong:

I have three interfaces firewall. One of them (A) is plugged to internet access router. The other (B) is connected to the port #1 of my 3com switch and has a public IP and the last (C) is connected to my private network. From port #1 to #12 will be the VLAN 1. In this one all the servers will have public address and will be accessible from internet through the firewall. From port #13 to #24 will be VLAN 2. In this one I will use one port to connect with the rest of my private network and the rest of ports to connect servers with IP in my private network's range.

It will be secure from point of view that if I don't allow traffic betwenn VLAN1 and VLAN2 it is not possible to go from my public net to my private one, isn't it?

[JP]

Greetings:

Ok, the English is a little rusty, so I'm not 100% sure that I understand you right.

You have a firewall with 3 ethernet interfaces, correct?

Then why are you using vlans at all?

Why not use 1 port to your router, 1 to your private lan, and 1 to your DMZ? What are you using as a firewall?

Granted, you'd need 2 switches, but they're cheap these days anyway. The only reason I see you having the configuration the way you do is to avoid buying a 2nd switch?

[DerekK]

First, sorry for my english, I know it sucks

The point is that this servers will have very dynamic assigment of roles, I mean that I will have to change it's connection from DMZ to internal quite often. This is only small part of quite big network, and it's not easy change physically the ports where the cables are plugged, because all this stuff is within a huge rack with a lot of switches, firewalls and tons of cables that are coming of the entire building. So, I was wondering if there is a way to change the servers from one net to another, secure, easy and better if remotelly...

[JP]

Greetings:

First off, your English isn't bad at all. Just can be hard to follow network configurations when someone is describing them in their second language is all....

I've never heard of anyone setting up vlans and the like because they have to change around wiring a lot?

Why don't you just wire all of those computers into a patch panel that's located in a more accessible location? Then you can just switch around the patch cables without any major effort?

[DerekK]

Yes, the thing is that you should see what i'm talking about In the last year we have installed here around 40 servers, and it's all in the same room where it used to be 6 servers. We are changing the building soon, but meanwhile we are buying more and more blades.

The network rack is almost full and we don't have space enogh for another one.

But, of course, it's possible to change the wires by hand, I only wanted to know if it is the same do it by hand or use VLANS, because it's possible to do remotelly too...

[edit] [offtopic] By the way, are you really connecting from Florida? How is it there? I hear about the big hurricane... Or it was more in the south? [/offtopic] [/edit]

[moonlight_x]

Hi glad that i found a discussion that dont mind my broken english. I have a setup just like the way John mentioned. We have a 3 interface firewall, internal, external and dmz. Internal interface connect to a switch
where all internal servers are connected. External connect to cisco router which is having the internet access. DMZ, i connect a 10BaseT Hub which connects to 3 of my Web/ internet application server.
User reports slow connection from outside into Webserver at times.

The problem that i am have is:

Is it better to use a switch to connect to the DMZ zone, despite the fact that there are only 3 server and only one of them is really public? (The other two server provide supporting services to the main server)

If i have public IP for the 3 Web/ Application server. What changes do i need to make to my cisco router
to define these public ip. So far with the router and firewall that i have, i have to run internal NAT.
My network engineer say there are no problem with the connection. But i am not quite sure about that
as from my previous reading, once he does a NAT, regardless what IP we use within DMZ, it would be internal.

INTERNET-------ROUTER..(192.168.X.X)------FW EXTERNAL(192.168.X.X)..FW INTERNAL(PUBLIC IP)

Now we are thinking of separating the web server connection from the main line as we are currently having two internet connection. (Maybe link up the two switchs via VLAN in future)

[DerekK]

Originally posted here by moonlight_x
Hi glad that i found a discussion that dont mind my broken english.

Actually I've to say that people who speak english as a first language use to be very tolerant... (including you JP ) Many people who speak other languages should learn of english speakers when someone tries to speak their language.

I have a setup just like the way John mentioned. We have a 3 interface firewall, internal, external and dmz. Internal interface connect to a switch
where all internal servers are connected. External connect to cisco router which is having the internet access. DMZ, i connect a 10BaseT Hub which connects to 3 of my Web/ internet application server.
User reports slow connection from outside into Webserver at times.

The problem that i am have is:

Is it better to use a switch to connect to the DMZ zone, despite the fact that there are only 3 server and only one of them is really public? (The other two server provide supporting services to the main server)

Slow connection no has to be ONLY because the hub. Check the collisions but check performance of the servers and of the wan connection also. The best should be if yo can borrow another switch or hub to test....

If i have public IP for the 3 Web/ Application server. What changes do i need to make to my cisco router
to define these public ip. So far with the router and firewall that i have, i have to run internal NAT.
My network engineer say there are no problem with the connection. But i am not quite sure about that
as from my previous reading, once he does a NAT, regardless what IP we use within DMZ, it would be internal.

INTERNET-------ROUTER..(192.168.X.X)------FW EXTERNAL(192.168.X.X)..FW INTERNAL(PUBLIC IP)

Now we are thinking of separating the web server connection from the main line as we are currently having two internet connection. (Maybe link up the two switchs via VLAN in future)

To have all the machines with public address you need to do the following:

Put as router's default gateway the firewall's interface which is connected with the router. Both interfaces (router internal and firewall) with private addresses.

Firewall's default gateway is router's internal interface.

If you have 3 machines in DMZ you'll need at least 4 ip address (plus net and broadcast ones) for this net. One public to the firewall's interface in the DMZ and the others for the machines.

DMZ's machines gateway is the DMZ interface of firewall.

I think don't forget anything...


If I finally build VLAN's I will tell you how was it...

[moonlight_x]

Thanks, I have change the DMZ's Hub to a 10/100 Switch and setup a mail server to buffer all the out going email (from my webserver). Now monitoring, seems stable so far.