Firewall Wizards mailing list archives
Re: DMZ - the physical layer
From: "Aaron D. Turner" <aturner () vicinity com>
Date: Mon, 13 Mar 2000 09:57:54 -0800 (PST)
Not sure if it is still true, but Bay Swiches used to have a problem enforcing VLAN's when two ports had the same client MAC (as often is the case of Sun's). This can be a major security problem. Cisco I know doesn't have this problem, but most security people will argue against using VLAN's for security. Most peole recommend different physical switches. -- Aaron Turner aturner () vicinity com 650.237.0300 x252 Security Engineer Vicinity Corp. Cell: 408-314-9874 Pager: 650-317-1821 http://www.vicinity.com On Tue, 7 Mar 2000, John White wrote:
I was looking through the archives of the greatcircle firewall list and came across some opinions regarding the construction of DMZ's. I'm using Baystack 450's as my backbone switches. Bay 450's have a virtual lan function which can be used to limit a collision domain to specific ports. I was planning on using this function to create the DMZ. However, I ran across some opinions that this type of action was quite foolish. Can someone give me the cons to this proposal? An option would be to buy a cheap Netgear switch (under $500) to be a physically separate DMZ. Pros and cons on that vs the virtual lan? $500 is a small price to pay if there are security problems when using a vlan aa a DMZ. John
Current thread:
- DMZ - the physical layer John White (Mar 12)
- Re: DMZ - the physical layer Aaron D. Turner (Mar 17)
- Re: DMZ - the physical layer Bennett Todd (Mar 21)
- Re: DMZ - the physical layer Doug Fajardo (Mar 21)
- <Possible follow-ups>
- RE: DMZ - the physical layer fernando_montenegro (Mar 17)
- RE: DMZ - the physical layer Ben Nagy (Mar 21)
- RE: DMZ - the physical layer aturner (Mar 23)
- RE: DMZ - the physical layer Carl Friedberg (Mar 21)
- Re: DMZ - the physical layer Aaron D. Turner (Mar 17)