Results 1 to 7 of 7

Thread: Tagged/Trunk VLAN DMZ?

  1. #1
    Senior Member
    Join Date
    Jul 2004
    Posts
    177

    Question Tagged/Trunk VLAN DMZ?

    Hi, I'm planning a network which will have several networks connected through a Nokia IP Firewall. These networks are implemented on a 3com switches. Since the servers are distributed along several switches I was wondering if it would be possible to build these "DMZ" with trunks/tagged VLAN's and then connect them to the Nokia. Would you consider this design secure? In other words, is it possible to bypass the firewall and communicate directly two tagged vlans?

    Thank you for your thoughts.

    Derekk.

  2. #2
    Junior Member
    Join Date
    May 2003
    Posts
    6
    The IP1260 seems to be the only Nokia firewall that supports VLAN tagging.

  3. #3
    Senior Member
    Join Date
    Jul 2004
    Posts
    177
    Hi, while Nelson it's probably right, that shows me how bad I exposed my question. It may be my awful english

    I attach an image that I hope will help me to explain the issue. The small rectangles are supposed to be switch/firewalls ports, the one color ones are "untagged" members of the VLAN (in 3com teminology) and the two color ones are "tagged" members.

    Now, let's guess I want to communicate the server1 with the server2. The only way to do this is to go trough the firewall as marked with the dotted red line, right? And this is secure enough to use it with all kind of networks, including the ones that are exposed to Internet, right?

    Ok, I hope I made myself clear now

    Thank you.
    Attached Files Attached Files
    Last edited by DerekK; March 30th, 2007 at 09:50 AM.

  4. #4
    Senior Member
    Join Date
    Jul 2004
    Posts
    177
    Any thought?

  5. #5
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    That's an awful diagram but I think I can see what you are trying to do.

    It's never a good ideal to span a DMZ over multiple switches via a VLAN if you have alternatives. VLAN’s should really be looked at as administrative aids and not security aids. Sure they serve security purposes but this is a bi-product of the way they work, they were not designed with security in mind when they where first thought of.

    Ideally you would have a dedicated switch(s) attached to the DMZ interface(s) on your firewall and connect all DMZ hosts directly to this. This way you keep the entire DMZ segregated from everything else rather than sharing switches with other LAN hosts/traffic.

    It is possible to do it the way you want and if it was only internal departments etc that you needed to separate then it would be ideal but I wouldn’t do it to segregate a DMZ personally as there is a physical route from the DMZ to your main LAN - you will be relying on VLAN tagging alone to provide security. By using separate switches you take the physical route away hence there is no method of getting to the main LAN from the DMZ providing your firewall ACL's are correct.

    There would also be a huge administrative over head to deal with which all adds to the complexity of it - do you construct the VLAN's via switch ports or MAC addresses - if switch ports all that would need to happen is for one person to accidentally plug it into the wrong port then your DMZ host is on the main LAN, if using MAC addresses all it would take is for one DMZ host to be rooted properly, then an attacker can start flooding the switch with MAC addresses and potentially destroy the VLAN tagging, create a DoS effect, logon to the switch, alter the hosts MAC address etc etc etc- all of this would have an impact on your main LAN and switching speed, not to mention one small misconfiguration anywhere in the entire setup could create a security issue.
    Last edited by Nokia; April 3rd, 2007 at 09:27 AM.

  6. #6
    Senior Member
    Join Date
    Jul 2004
    Posts
    177
    That's an awful diagram but I think I can see what you are trying to do.
    Ok, I know I'm not Picasso, but come on!

    There would also be a huge administrative over head to deal with which all adds to the complexity of it
    That's true... But I consider worst the over head of change wires everytime you change a rol of a server (if you are in a dinamyc environment).

    Anyway, your explanation was very good and I apreciate that. I will reconsider using VLAN propagation for isolated networks as you mentioned.

    Thank you very much!!!!

    [OT] I would really appreciate an example of diagram for expose the VLAN propagation idea.[/OT]

  7. #7
    Senior Member
    Join Date
    Jul 2004
    Posts
    177
    BTW, what about untagged VLAN's, could you consider using that and propagating them via wired uplinks?

Similar Threads

  1. VTP Query
    By tinu_karki in forum Network Security Discussions
    Replies: 6
    Last Post: June 9th, 2006, 02:53 AM
  2. server vlan security
    By mrlucifer in forum Firewall & Honeypot Discussions
    Replies: 2
    Last Post: June 17th, 2005, 11:34 AM
  3. Vlan Dmz...
    By DerekK in forum Network Security Discussions
    Replies: 10
    Last Post: September 22nd, 2004, 04:37 PM
  4. Tutorial: Layer 2 switching attacks and Mitigation
    By Networker in forum The Security Tutorials Forum
    Replies: 0
    Last Post: December 18th, 2002, 05:35 PM
  5. Help with this VLAN PROBLEM!
    By lawrence171 in forum AntiOnline's General Chit Chat
    Replies: 2
    Last Post: February 28th, 2002, 03:15 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •