Re: DMZ - the physical layer

[Doug Fajardo <dfajard () hitachi-hkis com>]

  There are two areas where the the "Virtual Lan" DMZ is vulnerable. 
First, control of the configuration of the VLAN is an issue. SNMP, until
recently, has not had any kind of meaningful security - I wouldn't want 
to base my DMZ on it! (note: the latest version of SNMP is supposed to
have addressed this issue, but I haven't looked at it enough to comment)

Second, and more importantly, is that the VLANS can "leak" to one
another in a variety of circumstances. Depending on the exact switching
firmware/software version, this can (potentially) happen during startup,
while changing the configuration of any VLAN on the switch, or possibly
can be induced by various active attacks on the switch.

Given how inexpensive small Hubs are, IMHO the potential for compromise
is not worth using VLANS for the DMZ, or in most security sensitive
applications.

*** Doug Fajardo

John White wrote:
 [parts deleted for brevity] 

> An option would be to buy a cheap Netgear switch
> (under $500) to be a physically separate DMZ.
>
> Pros and cons on that vs the virtual lan?  $500
> is a small price to pay if there are security problems
> when using a vlan aa a DMZ.
>
> John