switches and security

Gerhard Mezger Gerhard.Mezger@mail.inuco.ch
Tue, 30 Jun 1998 15:00:17 +0000


How do you feel about the usage of switches interconnecting different
security domains? To illustrate my question let's take a look at a very
simplified Internet connection:

                                      +--------+
              PR   -----------! Firewall!--------- internal net (S)
                                      +--------+
                                              !
                                           WEB

PR=Provider Router;  WEB=Webserver in DMZ;   S=System in the internal
net (running critical appliacations).

Internet users are only allowed to access the Webserver; access from the
internal net to the Internet is very restricted. So far the logical
layout. Letīs now look at a possible physical implementation using
VLANs:


                                      Firewall
                                        !  !  !  vlans 1 2 3
                                   +---------+
               PR---------- !   Switch !-----------S
                      vlan1     +---------+  vlan3
                                            !
                                   vlan2 !
                                            !
                                         WEB

I am not sure about the security risk imposed by a central switch
especially because the management of the switch will be done over a
(separate) VLAN. I am searching for arguments to become either more
comfortable with this solution or to have strong technical arguments
against it.

Your input is highly appreciated
Gerhard