Security Basics mailing list archives
RE: Firewall and VLAN security design
From: "David Gillett" <gillettdavid () fhda edu>
Date: Mon, 1 Nov 2004 11:13:26 -0800
Is it ok to use a multi homed firewall, or should I conceder 2 physical firewalls, what would be the threat of using one.
The slight marginal improvement in security from using two firewalls (of different manufacturers, and preferably different technologies) is offset by the extra cost and complexity. In general, the multi-homed firewall solution is more than sufficient.
Is VLAN segmentation enough to segment between the internet, DMZ and the internal network, or should I also use different switches for each, and be connected through the firewall.
This is a FAQ, and the usual answer is that no, VLAN separation is not a robust security barrier, an separate switches are recommended where the different subnets need separation for security reasons. David Gillett
-----Original Message----- From: Ahmed Ameen [mailto:ahmedameen () gmail com] Sent: Saturday, October 30, 2004 5:46 PM To: security-basics () securityfocus com Subject: Firewall and VLAN security design Hi All, Currently we are redesigning our LAN to include a DMZ zone, and we need to reach the best security design. The available equipments are: 1-PIX with 3 NIC's 2-L3 Switch 3-N-IDS My preliminary design is as follows Internet | | -------- |PIX |____DMZ | | -------- | | LAN Internet | | -------- |NIDS |____DMZ | | -------- | | LAN Internet VLAN1 | | --------------- |L3 Switch|____DMZ VLAN2 | | ---------- | | LAN VLAN3 My Questions would be: Is it ok to use a multi homed firewall, or should I conceder 2 physical firewalls, what would be the threat of using one. Is VLAN segmentation enough to segment between the internet, DMZ and the internal network, or should I also use different switches for each, and be connected through the firewall. Thanks Firewall and VLAN security design
Current thread:
- Firewall and VLAN security design Ahmed Ameen (Nov 01)
- RE: Firewall and VLAN security design David Gillett (Nov 01)
- RE: Firewall and VLAN security design Bryan S. Sampsel (Nov 02)
- RE: Firewall and VLAN security design David Gillett (Nov 03)
- RE: Firewall and VLAN security design Bryan S. Sampsel (Nov 02)
- <Possible follow-ups>
- RE: Firewall and VLAN security design Ivan Coric (Nov 03)
- RE: Firewall and VLAN security design Jonathan Loh (Nov 03)
- RE: Firewall and VLAN security design Paul Benedek (Nov 03)
- RE: Firewall and VLAN security design Bryan S. Sampsel (Nov 03)
- RE: Firewall and VLAN security design Ghaith Nasrawi (Nov 12)
- RE: Firewall and VLAN security design Ivan Coric (Nov 03)
- RE: Firewall and VLAN security design David Gillett (Nov 01)