I know how a lot of people will feel about this topic, but I have a client who feels that this will work.
He has 3 networks, which are currently seperated by firewalls. He plans to use VLANs to bring a subnet from each of his 3 networks into various locations so his end user support people can be on all 3 networks at the same time.
He believes that simply because they are on different VLANs, this is a safe plan. Her claims that Microsoft has published something on their page, which I haven't found yet, stating that using differnet VLANs is effectively the same as using firewalls between networks because each traffic stream is isolated from the others,
On 25.09.2006 13:19 snipped-for-privacy@hotmail.com wrote
You want to use *both*. Vlans *and* firewalls. While vlan will separate different vlans from each other, you also need control which traffic is allowed to enter/leave each network.
1 trunk line to each remote location, with an end user support office, containing 1 VLAN from the network the site was natively on 2 VLANs containing patches ( made from oplugging a VLAN on one network into a VLAN on the other network) made around the firewalls directly into VLANs on the other network.
Potentially 3 jacks per office, and a PC with 3 NICs and ruinning VMWare.
The claim is because thes 3 networks are on seperate VLANs it is the same as running in WAN connections from each of the 3 main networks.
I can do it, but I am a little wary of using VLANs like this. He claims it is a method endorsed by Microsoft.
If I understand correctly, what is being proposed is the logical equivilent of running a dedicated network connection from inside each of the VLANs, over to the support people, who would have some kind of logically distinct interface to each of the networks. Except that instead of using a dedicated network connection, the network connections would be multiplexed over the existing network structure using VLANs.
This has three potential problems:
1) legal;
2) security of vlan implementation; and
3) security of support interface
In prior postings, I addressed #1 and #2 briefly:
formatting link
Point #3 is that unless you give the support team members dedicated computers on each network, then there are potential security or technology issues about having them multiply connected, whether those multiple connections are by having 3 different network cards each connected to one [tag-stripped] VLAN, or having one [trunked] connection to a network interface that can deal directly with VLANs. The points of multiple connection are places where packets might leak from one network to another, accidently or provoked by an internal attacker. And if an internal attacker on one VLAN manages to get control over a multiply-connected computer, then the attacker can direct that that computer send out packets to the other VLANs, and since that point of multiple connection is trusted, the packets would be accepted (and the connection would go unlogged!)
Any point of multiple connection, including a helpdesk PC with multiple NICs, should be treated as requiring a firewall whose strength is at least as good as the firewall which officially connects the networks. And the Windows XP build-in firewall is *not* sufficient for this task -- not unless the official firewall is considered to be mostly there as a "deterant nuisance" like a small padlock on a school locker.
Ah, I see that deeper in the thread now. 3 NICs and VMware.
I do not know much about VMware, but I can state that I have seen configured but supposedly "inactive" VMware sessions leaking packets onto the wire. I believe multiple NICs were involved, but I am not certain.
Yes. I think everyone has pretty much got the idea. The MS thing came form seeing a document on MS's site somewhere explaining how VLANs could be used like this. I'
So the general consensus is that Ishouldn't rush out to install this thing.
Walter Robers> > >On 25.09.2006 19:27 Walter Roberson wrote
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.