-
March 29th, 2007, 09:24 AM
#1
Senior Member
Tagged/Trunk VLAN DMZ?
Hi, I'm planning a network which will have several networks connected through a Nokia IP Firewall. These networks are implemented on a 3com switches. Since the servers are distributed along several switches I was wondering if it would be possible to build these "DMZ" with trunks/tagged VLAN's and then connect them to the Nokia. Would you consider this design secure? In other words, is it possible to bypass the firewall and communicate directly two tagged vlans?
Thank you for your thoughts.
Derekk.
-
March 29th, 2007, 10:09 PM
#2
Junior Member
The IP1260 seems to be the only Nokia firewall that supports VLAN tagging.
-
March 30th, 2007, 09:43 AM
#3
Senior Member
-
April 2nd, 2007, 03:17 PM
#4
Senior Member
-
April 3rd, 2007, 09:15 AM
#5
That's an awful diagram but I think I can see what you are trying to do.
It's never a good ideal to span a DMZ over multiple switches via a VLAN if you have alternatives. VLAN’s should really be looked at as administrative aids and not security aids. Sure they serve security purposes but this is a bi-product of the way they work, they were not designed with security in mind when they where first thought of.
Ideally you would have a dedicated switch(s) attached to the DMZ interface(s) on your firewall and connect all DMZ hosts directly to this. This way you keep the entire DMZ segregated from everything else rather than sharing switches with other LAN hosts/traffic.
It is possible to do it the way you want and if it was only internal departments etc that you needed to separate then it would be ideal but I wouldn’t do it to segregate a DMZ personally as there is a physical route from the DMZ to your main LAN - you will be relying on VLAN tagging alone to provide security. By using separate switches you take the physical route away hence there is no method of getting to the main LAN from the DMZ providing your firewall ACL's are correct.
There would also be a huge administrative over head to deal with which all adds to the complexity of it - do you construct the VLAN's via switch ports or MAC addresses - if switch ports all that would need to happen is for one person to accidentally plug it into the wrong port then your DMZ host is on the main LAN, if using MAC addresses all it would take is for one DMZ host to be rooted properly, then an attacker can start flooding the switch with MAC addresses and potentially destroy the VLAN tagging, create a DoS effect, logon to the switch, alter the hosts MAC address etc etc etc- all of this would have an impact on your main LAN and switching speed, not to mention one small misconfiguration anywhere in the entire setup could create a security issue.
Last edited by Nokia; April 3rd, 2007 at 09:27 AM.
-
April 3rd, 2007, 10:56 AM
#6
Senior Member
That's an awful diagram but I think I can see what you are trying to do.
Ok, I know I'm not Picasso, but come on!
There would also be a huge administrative over head to deal with which all adds to the complexity of it
That's true... But I consider worst the over head of change wires everytime you change a rol of a server (if you are in a dinamyc environment).
Anyway, your explanation was very good and I apreciate that. I will reconsider using VLAN propagation for isolated networks as you mentioned.
Thank you very much!!!!
[OT] I would really appreciate an example of diagram for expose the VLAN propagation idea.[/OT]
-
April 3rd, 2007, 12:31 PM
#7
Senior Member
BTW, what about untagged VLAN's, could you consider using that and propagating them via wired uplinks?
Similar Threads
-
By tinu_karki in forum Network Security Discussions
Replies: 6
Last Post: June 9th, 2006, 02:53 AM
-
By mrlucifer in forum Firewall & Honeypot Discussions
Replies: 2
Last Post: June 17th, 2005, 11:34 AM
-
By DerekK in forum Network Security Discussions
Replies: 10
Last Post: September 22nd, 2004, 04:37 PM
-
By Networker in forum The Security Tutorials Forum
Replies: 0
Last Post: December 18th, 2002, 05:35 PM
-
By lawrence171 in forum AntiOnline's General Chit Chat
Replies: 2
Last Post: February 28th, 2002, 03:15 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|