Vlans on a switch for Public and Private networks

Discussion in 'Cisco' started by daniel, Mar 8, 2005.

  1. daniel

    daniel Guest

    Hi,

    At a small company we want to use a switch (2950) to do our private
    network, but also vlan off 4 ports to do handle the internet
    connection / public network.

    So of the 4 "Public network" vlan ports, one is the internet
    connection from the ISP and 3 others are their firewall and 2 public
    servers.

    So the firewall has one cable from the "public network" VLAN and one
    cable from the "internal network" VLAN. But the whole thing is cabled
    from one switch.

    Is that a good idea? Are we more open to security issues than if we
    have the usual router before the switch?

    Hope that makes sense.

    Many Thanks,

    Daniel.
     
    daniel, Mar 8, 2005
    #1
    1. Advertising

  2. daniel

    Brian V Guest

    "daniel" <> wrote in message
    news:...
    > Hi,
    >
    > At a small company we want to use a switch (2950) to do our private
    > network, but also vlan off 4 ports to do handle the internet
    > connection / public network.
    >
    > So of the 4 "Public network" vlan ports, one is the internet
    > connection from the ISP and 3 others are their firewall and 2 public
    > servers.
    >
    > So the firewall has one cable from the "public network" VLAN and one
    > cable from the "internal network" VLAN. But the whole thing is cabled
    > from one switch.
    >
    > Is that a good idea? Are we more open to security issues than if we
    > have the usual router before the switch?
    >
    > Hope that makes sense.
    >
    > Many Thanks,
    >


    Hi Daniel,

    Yes, you are opening yourself to all kinds of security problems. VLAN hoping
    for 1. Best practices would move all but 2 of those ports away from the
    outside. Router ethernet and Firewall outside. Servers should never be
    "public" (unless it's a bastion device) and should be protected by the
    firewall and put on a DMZ. The outside ports should be on their own switch,
    not on a shared switch.

    -Brian
     
    Brian V, Mar 8, 2005
    #2
    1. Advertising

  3. In article <>,
    Brian V <> wrote:
    :Yes, you are opening yourself to all kinds of security problems. VLAN hoping
    :for 1.

    Cisco fixed all the vlan hopping problems years ago. Your switch
    has to be misconfigured for such an attack to work (but watch
    otu for double encapsulation.)

    http://www.cisco.com/application/pd.../ps708/c1697/ccmigration_09186a008012ed31.pdf


    --
    'The short version of what Walter said is "You have asked a question
    which has no useful answer, please reconsider the nature of the
    problem you wish to solve".' -- Tony Mantler
     
    Walter Roberson, Mar 8, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Paul C.
    Replies:
    1
    Views:
    794
    hgreenblatt
    Apr 11, 2004
  2. Replies:
    0
    Views:
    1,401
  3. Will
    Replies:
    1
    Views:
    679
    www.BradReese.Com
    Sep 26, 2006
  4. loyola
    Replies:
    3
    Views:
    1,604
    Cerebrus
    Nov 14, 2006
  5. Giuen
    Replies:
    0
    Views:
    1,160
    Giuen
    Sep 12, 2008
Loading...

Share This Page