«

Hi,

At a small company we want to use a switch (2950) to do our private
network, but also vlan off 4 ports to do handle the internet
connection / public network.

So of the 4 "Public network" vlan ports, one is the internet
connection from the ISP and 3 others are their firewall and 2 public
servers.

So the firewall has one cable from the "public network" VLAN and one
cable from the "internal network" VLAN. But the whole thing is cabled
from one switch.

Is that a good idea? Are we more open to security issues than if we
have the usual router before the switch?

Hope that makes sense.

Many Thanks,

Daniel.

"daniel" <> wrote in message
news: om...
> Hi,
>
> At a small company we want to use a switch (2950) to do our private
> network, but also vlan off 4 ports to do handle the internet
> connection / public network.
>
> So of the 4 "Public network" vlan ports, one is the internet
> connection from the ISP and 3 others are their firewall and 2 public
> servers.
>
> So the firewall has one cable from the "public network" VLAN and one
> cable from the "internal network" VLAN. But the whole thing is cabled
> from one switch.
>
> Is that a good idea? Are we more open to security issues than if we
> have the usual router before the switch?
>
> Hope that makes sense.
>
> Many Thanks,
>

Hi Daniel,

Yes, you are opening yourself to all kinds of security problems. VLAN hoping
for 1. Best practices would move all but 2 of those ports away from the
outside. Router ethernet and Firewall outside. Servers should never be
"public" (unless it's a bastion device) and should be protected by the
firewall and put on a DMZ. The outside ports should be on their own switch,
not on a shared switch.

-Brian

In article <zdOdnZUEaNNUMLDfRVn->,
Brian V <> wrote:
:Yes, you are opening yourself to all kinds of security problems. VLAN hoping
:for 1.

Cisco fixed all the vlan hopping problems years ago. Your switch
has to be misconfigured for such an attack to work (but watch
otu for double encapsulation.)

http://www.cisco.com/application/pdf...008012ed31.pdf


--
'The short version of what Walter said is "You have asked a question
which has no useful answer, please reconsider the nature of the
problem you wish to solve".' -- Tony Mantler