VLAN's & DMZ's

VLANS are *not* security constructs: they are management constructs. Somewhere about 1996 people saw that they could put ACL's on them and thus they started treating them as if they were security boundaries.

Ettercap renders all that rot practically meaningless.

However, it is considered to be best practice to implement VLANS of the same security posture on the same switch. i.e., you don't have a highly secure VLAN and a less secure VLAN on the same switch, because the lowest common denominator is the security posture on that device. (in this case, less secure)

Also, physical isolation implies that there will be no communications between the two conencted networks/devices. The US does this for DoD networks by having a separate, highly secure classified network (SIPRNET) and an internet connected (and therefore vulnerable) network called NIPRNET. These networks are physically separated.

If you want the maximum amount of logical isolation, use packet filters on the network edge, along with layer 7 aware firewalls. Use IPsec transport mode to protect hosts on the inside and use L2TP/IPsec for VPN connectivity.

That's about as strong of a DiD approach on a network as current technology provides. Beyond this, you start talking about extreme physical security, and other methods...

The simple answer is that you want to minimize the number of devices that you're depending on for security. With normal LAN technology, the only device that connects the DMZ to the private network is your firewall. If you use VLANs, there are now two devices: the switch and the firewall. If either of them is compromised, the isolation between the networks may be lost.

I am not an expert on switches and vlans but it seems to me that usually you want at least some access to computers on a dmz from the lan network based on what you have configured for firewall rules, even if it is jut to manage computers in the dmz. A firewall would certainly be a better option and there are very reasonably priced ones available. If a computer on the dmz is compromised, then at the very least your switch could be subject to denial of service attacks that may impact the whole network that uses that switch. If the switch is compromised then the whole network may go down or be subject to attacks from the dmz computer. I don't know of a good link offhand. --- Steve

Yes, this is true. Also the DOE and Air Force segment by security levels...not that I would know or anything ;-)

There is more but, for what he is doing probably overkill...

Michael

Gentlemen, From a strictly practical point of view it looks to me like you are overly concerned with what separates your LANs (VLANs or DMZs) rather than being concerned with what connects them together. Specifically DMZs are connected to the LAN by constructs (referred to as DMZ pinholes) which tightly controls and restricts the exchange of data with the LAN to that which is absolutely necessary. Communication between the DMZ and the WAN will typically be sufficient to allow the provision of chosen services to the WAN. Complete separation is pointless, while an open routed connection via a gateway between VLANs is hopeless from a security point of view. Have a look at the design and implementation of ipcop at

In other words, forget VLANs - its not what they are designed for. Get or build a good firewall like IPCOP, or if you want to spend lots of money, buy something like a Watchguard Firebox.