Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Catalyst 3750G / Network design question

Reply
Thread Tools

Catalyst 3750G / Network design question

 
 
rozment@ughospital.com
Guest
Posts: n/a
 
      08-15-2006
Hello and thanks,

I have a vendor that is setting up our network and I am not sure if
something they are doing is a good idea. I however am not Cisco
certified so my voice carries less weight. I am looking for some
opinions that I can pass along.

They are setting up a 3750 with two VLANS, VLAN 100 and VLAN 200. VLAN
100 will be inbetween the ISP and our firewall. VLAN 200 will be where
all of our internal servers reside. So
Internet>>>3750 Vlan 100>>>>firewall>>>>3750 Vlan 200(core switch with
all servers)

This design seems poor to me, because we are having a core switch on
the net not protected by fwall. It seems like a DoS attack could hammer
our core switch, since it is not protected by the firewall. Is this
correct? Also seems like it would be easier to hack the switch which
will give you to access to internal network. Is this correct?

Seems like better solution is
Internet>>>Switch1>>>firewall>>>Switch2(core switch).

Looking for explanation that I can take to meeting to have them make a
change if necessary?

Thanks again,
Roy

 
Reply With Quote
 
 
 
 
BernieM
Guest
Posts: n/a
 
      08-15-2006
<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> Hello and thanks,
>
> I have a vendor that is setting up our network and I am not sure if
> something they are doing is a good idea. I however am not Cisco
> certified so my voice carries less weight. I am looking for some
> opinions that I can pass along.
>
> They are setting up a 3750 with two VLANS, VLAN 100 and VLAN 200. VLAN
> 100 will be inbetween the ISP and our firewall. VLAN 200 will be where
> all of our internal servers reside. So
> Internet>>>3750 Vlan 100>>>>firewall>>>>3750 Vlan 200(core switch with
> all servers)
>
> This design seems poor to me, because we are having a core switch on
> the net not protected by fwall. It seems like a DoS attack could hammer
> our core switch, since it is not protected by the firewall. Is this
> correct? Also seems like it would be easier to hack the switch which
> will give you to access to internal network. Is this correct?
>
> Seems like better solution is
> Internet>>>Switch1>>>firewall>>>Switch2(core switch).
>
> Looking for explanation that I can take to meeting to have them make a
> change if necessary?
>
> Thanks again,
> Roy
>


You're very right for being concerned. Their design goes against best
practice and is simply dangerous. VLAN separation does not a firewall make
but in their topology it has become one. Their design shows they have less
than a basic understanding of security.

VLAN separation isn't even a minimum level of security for 'trusted'
internal LANs let alone the Internet.

Your design is of course the better solution.

BernieM


 
Reply With Quote
 
 
 
 
Merv
Guest
Posts: n/a
 
      08-15-2006
ensure they implement your design with two separate switches

 
Reply With Quote
 
Bod43@hotmail.co.uk
Guest
Posts: n/a
 
      08-15-2006

Merv wrote:

> ensure they implement your design with two separate switches


The proposed installation is not best practise.


Not that I usually object to anyone spending
money on network equipment, however the 3750
seems overkill for the application described -
that is - two static VLANs.

Consider a 2960G (all GBE) for the inside
and a 2950 (if they still do them) for the outside,
unless of course you have a GBE internet connection.

I would guess that you will still have change.

If you need Routing at wire rate then of course
the 3750 is an excellent choice. Maybe its PoE
that you need.

 
Reply With Quote
 
BernieM
Guest
Posts: n/a
 
      08-15-2006
<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
>
> Merv wrote:
>
>> ensure they implement your design with two separate switches

>
> The proposed installation is not best practise.
>
>
> Not that I usually object to anyone spending
> money on network equipment, however the 3750
> seems overkill for the application described -
> that is - two static VLANs.
>
> Consider a 2960G (all GBE) for the inside
> and a 2950 (if they still do them) for the outside,
> unless of course you have a GBE internet connection.
>
> I would guess that you will still have change.
> lly
> If you need Routing at wire rate then of course
> the 3750 is an excellent choice. Maybe its PoE
> that you need.
>


That's a good point bod43. Even with a base IOS in a 3750 you still have
stub routing and other L3 features not needed where a basic L2 switch will
do the job. Gbit is definitely questionably. Even a 2960 10/100 sounds
sufficient. getting back to the security .. it's disturbing that people
that should know better are actually recommending that sort of topology.

While I'm a 'network engineer' by profession and my job doesn't involve
direct responsibility for 'security' I've been around enough (15+ years) to
know that nobody that wants to be taken seriously recommends vlan separation
as a layer of security. It's use it strictly limited to separation of
broadcast domains. Sure you apply at least acl type restrictions when you
need to have 'some form' of restrictions internally but never rely on vlans
for 'security'.

BernieM


BernieM


 
Reply With Quote
 
rozment@ughospital.com
Guest
Posts: n/a
 
      08-15-2006
Thanks all for your replies. Found an article on SANS.org recommending
not to use Vlans as a mechanism for enforcing security. Unfortunately
was written in 2000.

Well thanks again for your messages,
Roy

 
Reply With Quote
 
stephen
Guest
Posts: n/a
 
      08-16-2006
"BernieM" <(E-Mail Removed)> wrote in message
news:GGlEg.12595$(E-Mail Removed)...
> <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) ups.com...
> >
> > Merv wrote:
> >
> >> ensure they implement your design with two separate switches

> >
> > The proposed installation is not best practise.
> >
> >
> > Not that I usually object to anyone spending
> > money on network equipment, however the 3750
> > seems overkill for the application described -
> > that is - two static VLANs.
> >
> > Consider a 2960G (all GBE) for the inside
> > and a 2950 (if they still do them) for the outside,
> > unless of course you have a GBE internet connection.
> >
> > I would guess that you will still have change.
> > lly
> > If you need Routing at wire rate then of course
> > the 3750 is an excellent choice. Maybe its PoE
> > that you need.
> >

>
> That's a good point bod43. Even with a base IOS in a 3750 you still have
> stub routing and other L3 features not needed where a basic L2 switch will
> do the job. Gbit is definitely questionably. Even a 2960 10/100 sounds
> sufficient. getting back to the security .. it's disturbing that people
> that should know better are actually recommending that sort of topology.
>
> While I'm a 'network engineer' by profession and my job doesn't involve
> direct responsibility for 'security' I've been around enough (15+ years)

to
> know that nobody that wants to be taken seriously recommends vlan

separation
> as a layer of security. It's use it strictly limited to separation of
> broadcast domains. Sure you apply at least acl type restrictions when you
> need to have 'some form' of restrictions internally but never rely on

vlans
> for 'security'.


if you use the Cat 6k firewall switch module, then all segregation is done
via VLAN.....

A lot of this came out of some tests where an engineer can build a packet to
jump from 1 VLAN to another.

But
1. you need kit that doesnt stop this happening - at least the higher end
Cisco switches (ie 3560 / 3750 / Cat 6k) are proof against this attack.
2. the attacker needs layer 2 access to the network since they need to
manipulate MAC headers and vlan tags - which isnt normally directly
accessible across the Internet.

The assumption here is that you dont have routing enabled between segregated
vlans.

A much more sensible reason to avoid security barriers using vlans is "ease
of misconfiguration" - multiple secure VLANs on a switch with internal
routing support is a recipe for future problems from finger trouble....

FWIW we use both options at work - some "heavy" security is done by
physically separating networks and a firewall link between them.

But when you need lots of security zones and they are at comparable security
levels, then using VLAN segregation is appropriate and much easier than
managing dozens of different stackables (esp as Cisco dont make small
switches with dual power supplies) - YMMV of course.
>
> BernieM
>
>
> BernieM
>

--
Regards

http://www.velocityreviews.com/forums/(E-Mail Removed) - replace xyz with ntl


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Howto: Stack 3750g 12s with 3750g 48T? Johannes Cisco 4 03-30-2010 10:01 PM
One port, Multiple VLANS, catalyst 3750G crate Cisco 2 11-15-2007 12:08 PM
Catalyst 3750G drops packets with IPv4 options Spoon Cisco 5 05-11-2007 01:17 AM
Cisco Catalyst 3750G Wireless Lan Controller joeytmann@gmail.com Cisco 1 05-05-2007 05:28 AM
Need help clarifying SMI vs EMI on Catalyst 4507R and 3750G and comments on my config Ned Cisco 2 05-25-2005 11:43 AM



Advertisments