Catalyst 3750G / Network design question

You're very right for being concerned. Their design goes against best practice and is simply dangerous. VLAN separation does not a firewall make but in their topology it has become one. Their design shows they have less than a basic understanding of security.

VLAN separation isn't even a minimum level of security for 'trusted' internal LANs let alone the Internet.

Your design is of course the better solution.

BernieM

ensure they implement your design with two separate switches

The proposed installation is not best practise.

Not that I usually object to anyone spending money on network equipment, however the 3750 seems overkill for the application described - that is - two static VLANs.

Consider a 2960G (all GBE) for the inside and a 2950 (if they still do them) for the outside, unless of course you have a GBE internet connection.

I would guess that you will still have change.

If you need Routing at wire rate then of course the 3750 is an excellent choice. Maybe its PoE that you need.

That's a good point bod43. Even with a base IOS in a 3750 you still have stub routing and other L3 features not needed where a basic L2 switch will do the job. Gbit is definitely questionably. Even a 2960 10/100 sounds sufficient. getting back to the security .. it's disturbing that people that should know better are actually recommending that sort of topology.

While I'm a 'network engineer' by profession and my job doesn't involve direct responsibility for 'security' I've been around enough (15+ years) to know that nobody that wants to be taken seriously recommends vlan separation as a layer of security. It's use it strictly limited to separation of broadcast domains. Sure you apply at least acl type restrictions when you need to have 'some form' of restrictions internally but never rely on vlans for 'security'.

BernieM

BernieM

Thanks all for your replies. Found an article on SANS.org recommending not to use Vlans as a mechanism for enforcing security. Unfortunately was written in 2000.

Well thanks again for your messages, Roy

if you use the Cat 6k firewall switch module, then all segregation is done via VLAN.....

A lot of this came out of some tests where an engineer can build a packet to jump from 1 VLAN to another.

But

1. you need kit that doesnt stop this happening - at least the higher end Cisco switches (ie 3560 / 3750 / Cat 6k) are proof against this attack.
2. the attacker needs layer 2 access to the network since they need to manipulate MAC headers and vlan tags - which isnt normally directly accessible across the Internet.

The assumption here is that you dont have routing enabled between segregated vlans.

A much more sensible reason to avoid security barriers using vlans is "ease of misconfiguration" - multiple secure VLANs on a switch with internal routing support is a recipe for future problems from finger trouble....

FWIW we use both options at work - some "heavy" security is done by physically separating networks and a firewall link between them.

But when you need lots of security zones and they are at comparable security levels, then using VLAN segregation is appropriate and much easier than managing dozens of different stackables (esp as Cisco dont make small switches with dual power supplies) - YMMV of course.