Firewall Wizards mailing list archives
Re: DMZ - the physical layer
From: Doug Fajardo <dfajard () hitachi-hkis com>
Date: Thu, 16 Mar 2000 09:28:20 -0800
There are two areas where the the "Virtual Lan" DMZ is vulnerable. First, control of the configuration of the VLAN is an issue. SNMP, until recently, has not had any kind of meaningful security - I wouldn't want to base my DMZ on it! (note: the latest version of SNMP is supposed to have addressed this issue, but I haven't looked at it enough to comment) Second, and more importantly, is that the VLANS can "leak" to one another in a variety of circumstances. Depending on the exact switching firmware/software version, this can (potentially) happen during startup, while changing the configuration of any VLAN on the switch, or possibly can be induced by various active attacks on the switch. Given how inexpensive small Hubs are, IMHO the potential for compromise is not worth using VLANS for the DMZ, or in most security sensitive applications. *** Doug Fajardo John White wrote: [parts deleted for brevity]
An option would be to buy a cheap Netgear switch (under $500) to be a physically separate DMZ. Pros and cons on that vs the virtual lan? $500 is a small price to pay if there are security problems when using a vlan aa a DMZ. John
Current thread:
- DMZ - the physical layer John White (Mar 12)
- Re: DMZ - the physical layer Aaron D. Turner (Mar 17)
- Re: DMZ - the physical layer Bennett Todd (Mar 21)
- Re: DMZ - the physical layer Doug Fajardo (Mar 21)
- <Possible follow-ups>
- RE: DMZ - the physical layer fernando_montenegro (Mar 17)
- RE: DMZ - the physical layer Ben Nagy (Mar 21)
- RE: DMZ - the physical layer aturner (Mar 23)
- RE: DMZ - the physical layer Carl Friedberg (Mar 21)
- Re: DMZ - the physical layer Aaron D. Turner (Mar 17)