Catalyst 3750G / Network design question

Discussion in 'Cisco' started by rozment@ughospital.com, Aug 15, 2006.

  1. Guest

    Hello and thanks,

    I have a vendor that is setting up our network and I am not sure if
    something they are doing is a good idea. I however am not Cisco
    certified so my voice carries less weight. I am looking for some
    opinions that I can pass along.

    They are setting up a 3750 with two VLANS, VLAN 100 and VLAN 200. VLAN
    100 will be inbetween the ISP and our firewall. VLAN 200 will be where
    all of our internal servers reside. So
    Internet>>>3750 Vlan 100>>>>firewall>>>>3750 Vlan 200(core switch with
    all servers)

    This design seems poor to me, because we are having a core switch on
    the net not protected by fwall. It seems like a DoS attack could hammer
    our core switch, since it is not protected by the firewall. Is this
    correct? Also seems like it would be easier to hack the switch which
    will give you to access to internal network. Is this correct?

    Seems like better solution is
    Internet>>>Switch1>>>firewall>>>Switch2(core switch).

    Looking for explanation that I can take to meeting to have them make a
    change if necessary?

    Thanks again,
    Roy
    , Aug 15, 2006
    #1
    1. Advertising

  2. BernieM Guest

    <> wrote in message
    news:...
    > Hello and thanks,
    >
    > I have a vendor that is setting up our network and I am not sure if
    > something they are doing is a good idea. I however am not Cisco
    > certified so my voice carries less weight. I am looking for some
    > opinions that I can pass along.
    >
    > They are setting up a 3750 with two VLANS, VLAN 100 and VLAN 200. VLAN
    > 100 will be inbetween the ISP and our firewall. VLAN 200 will be where
    > all of our internal servers reside. So
    > Internet>>>3750 Vlan 100>>>>firewall>>>>3750 Vlan 200(core switch with
    > all servers)
    >
    > This design seems poor to me, because we are having a core switch on
    > the net not protected by fwall. It seems like a DoS attack could hammer
    > our core switch, since it is not protected by the firewall. Is this
    > correct? Also seems like it would be easier to hack the switch which
    > will give you to access to internal network. Is this correct?
    >
    > Seems like better solution is
    > Internet>>>Switch1>>>firewall>>>Switch2(core switch).
    >
    > Looking for explanation that I can take to meeting to have them make a
    > change if necessary?
    >
    > Thanks again,
    > Roy
    >


    You're very right for being concerned. Their design goes against best
    practice and is simply dangerous. VLAN separation does not a firewall make
    but in their topology it has become one. Their design shows they have less
    than a basic understanding of security.

    VLAN separation isn't even a minimum level of security for 'trusted'
    internal LANs let alone the Internet.

    Your design is of course the better solution.

    BernieM
    BernieM, Aug 15, 2006
    #2
    1. Advertising

  3. Merv Guest

    ensure they implement your design with two separate switches
    Merv, Aug 15, 2006
    #3
  4. Guest

    Merv wrote:

    > ensure they implement your design with two separate switches


    The proposed installation is not best practise.


    Not that I usually object to anyone spending
    money on network equipment, however the 3750
    seems overkill for the application described -
    that is - two static VLANs.

    Consider a 2960G (all GBE) for the inside
    and a 2950 (if they still do them) for the outside,
    unless of course you have a GBE internet connection.

    I would guess that you will still have change.

    If you need Routing at wire rate then of course
    the 3750 is an excellent choice. Maybe its PoE
    that you need.
    , Aug 15, 2006
    #4
  5. BernieM Guest

    <> wrote in message
    news:...
    >
    > Merv wrote:
    >
    >> ensure they implement your design with two separate switches

    >
    > The proposed installation is not best practise.
    >
    >
    > Not that I usually object to anyone spending
    > money on network equipment, however the 3750
    > seems overkill for the application described -
    > that is - two static VLANs.
    >
    > Consider a 2960G (all GBE) for the inside
    > and a 2950 (if they still do them) for the outside,
    > unless of course you have a GBE internet connection.
    >
    > I would guess that you will still have change.
    > lly
    > If you need Routing at wire rate then of course
    > the 3750 is an excellent choice. Maybe its PoE
    > that you need.
    >


    That's a good point bod43. Even with a base IOS in a 3750 you still have
    stub routing and other L3 features not needed where a basic L2 switch will
    do the job. Gbit is definitely questionably. Even a 2960 10/100 sounds
    sufficient. getting back to the security .. it's disturbing that people
    that should know better are actually recommending that sort of topology.

    While I'm a 'network engineer' by profession and my job doesn't involve
    direct responsibility for 'security' I've been around enough (15+ years) to
    know that nobody that wants to be taken seriously recommends vlan separation
    as a layer of security. It's use it strictly limited to separation of
    broadcast domains. Sure you apply at least acl type restrictions when you
    need to have 'some form' of restrictions internally but never rely on vlans
    for 'security'.

    BernieM


    BernieM
    BernieM, Aug 15, 2006
    #5
  6. Guest

    Thanks all for your replies. Found an article on SANS.org recommending
    not to use Vlans as a mechanism for enforcing security. Unfortunately
    was written in 2000.

    Well thanks again for your messages,
    Roy
    , Aug 15, 2006
    #6
  7. stephen Guest

    "BernieM" <> wrote in message
    news:GGlEg.12595$...
    > <> wrote in message
    > news:...
    > >
    > > Merv wrote:
    > >
    > >> ensure they implement your design with two separate switches

    > >
    > > The proposed installation is not best practise.
    > >
    > >
    > > Not that I usually object to anyone spending
    > > money on network equipment, however the 3750
    > > seems overkill for the application described -
    > > that is - two static VLANs.
    > >
    > > Consider a 2960G (all GBE) for the inside
    > > and a 2950 (if they still do them) for the outside,
    > > unless of course you have a GBE internet connection.
    > >
    > > I would guess that you will still have change.
    > > lly
    > > If you need Routing at wire rate then of course
    > > the 3750 is an excellent choice. Maybe its PoE
    > > that you need.
    > >

    >
    > That's a good point bod43. Even with a base IOS in a 3750 you still have
    > stub routing and other L3 features not needed where a basic L2 switch will
    > do the job. Gbit is definitely questionably. Even a 2960 10/100 sounds
    > sufficient. getting back to the security .. it's disturbing that people
    > that should know better are actually recommending that sort of topology.
    >
    > While I'm a 'network engineer' by profession and my job doesn't involve
    > direct responsibility for 'security' I've been around enough (15+ years)

    to
    > know that nobody that wants to be taken seriously recommends vlan

    separation
    > as a layer of security. It's use it strictly limited to separation of
    > broadcast domains. Sure you apply at least acl type restrictions when you
    > need to have 'some form' of restrictions internally but never rely on

    vlans
    > for 'security'.


    if you use the Cat 6k firewall switch module, then all segregation is done
    via VLAN.....

    A lot of this came out of some tests where an engineer can build a packet to
    jump from 1 VLAN to another.

    But
    1. you need kit that doesnt stop this happening - at least the higher end
    Cisco switches (ie 3560 / 3750 / Cat 6k) are proof against this attack.
    2. the attacker needs layer 2 access to the network since they need to
    manipulate MAC headers and vlan tags - which isnt normally directly
    accessible across the Internet.

    The assumption here is that you dont have routing enabled between segregated
    vlans.

    A much more sensible reason to avoid security barriers using vlans is "ease
    of misconfiguration" - multiple secure VLANs on a switch with internal
    routing support is a recipe for future problems from finger trouble....

    FWIW we use both options at work - some "heavy" security is done by
    physically separating networks and a firewall link between them.

    But when you need lots of security zones and they are at comparable security
    levels, then using VLAN segregation is appropriate and much easier than
    managing dozens of different stackables (esp as Cisco dont make small
    switches with dual power supplies) - YMMV of course.
    >
    > BernieM
    >
    >
    > BernieM
    >

    --
    Regards

    - replace xyz with ntl
    stephen, Aug 16, 2006
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Joel M. Baldwin
    Replies:
    3
    Views:
    2,155
    Andre Beck
    Oct 25, 2003
  2. Ned
    Replies:
    2
    Views:
    3,266
  3. Replies:
    1
    Views:
    849
    Thrill5
    May 5, 2007
  4. Spoon
    Replies:
    5
    Views:
    6,514
    Thrill5
    May 11, 2007
  5. Johannes
    Replies:
    4
    Views:
    1,933
    colin
    Mar 30, 2010
Loading...

Share This Page