From: Jerry Shenk (jshenk@decommunications.com)
Date: Thu Mar 03 2005 - 15:32:23 EST
First off...a terminology question: By DMZ, are you referring to a
service network that is on a 3rd NIC of the firewall or the area between
the edge router and the firewall? The term was originally a military
term used to refer to the buffer zone between to hostile countries then
a large firewall vendor decided to use the term for what I'd call a
service network using a 3rd NIC in a firewall or perhaps a separate
firewall. I'll assume the "wrong" definition since it's actually become
more popular.
That's kindof bad design. VLANs can often add something to security but
counting on them really isn't the best idea. There are attacks on
switches than can cause VLANs to fail open although I'm not sure about
this particular one. In addition to the possibility of 'jumping VLANs',
it's also possible to make a rather small configuration error and have
things wide open.
On the other hand, we don't have any details about your site so there
could be cases where it may be acceptable. I've seen companies set up
the area outside the firewall on a VLAN on their corporate
switch....that's worse! It depends what you're protecting too....still,
I can't think of any case where I'd recommend doing it like that.
-----Original Message-----
From: Merrick, Carl [mailto:CMerrick@enfield.org]
Sent: Thursday, March 03, 2005 11:23 AM
To: pen-test@securityfocus.com
Subject: HP BL30's and VLAN's
I am not a pen tester and this is more of a theoretical question for the
experts. We are in the process of installing HP BL30p blade servers
which
use the GBE2 integrated switch for network connectivity. One of the
servers
installed will be a web server which will run in the DMZ. Connectivity
to
the DMZ will be provided from the GBE2 to a port on the firewall via a
VLAN.
Other internal VLAN's will be running on the same GBE2 switch. The
question
is, how secure will this setup be? Is it possible to hack across VLANs
on
the same switch? My preferred configuration is to physically isolate web
servers.
Thanks. Carl
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:17 EDT