1. Home
  2. Networking Firewalls
  3. VLANs over Geographical Boundaries

VLANs over Geographical Boundaries

AKA "Is this stupid from a security standpoint"?

I know the mantra: "Don't use VLAN's for security". But I'm having trouble understanding whether it applies to this particular design. I proposed an alternate solution the problem I'm trying to solve in another newsgroup, and I was told, "You should be using VLAN's".

The basics: We just added a second facility and want to increase our redundancy. We have two hosts that are considered the end-all-be-all of our business, without these, we're down. We have a nice high availability configuration in place that requires they be on the same lan segment. We have also have a nice high speed ethernet link between the two facilities that accomplishes this goal, but it's caused a number of issues as far as adding further redundancy to our network.

So, I have the following solution in mind. The advantages are plentiful as far as saving money and easing expansion, but we have a major concern about it: It somewhat relies on VLAN's to separate traffic before it enters the firewall.

A diagram would probably help, and ASCII is insufficient, so I threw this together:

formatting link
Let me point out a couple things: (1) The top left and top right areas are two distinct physical locations. The gigabit ethernet line between the two is all we have to work with (Well, other than a VPN backup, but that's not in the diagram). (2) The colored lines indicate vlan separation. Over the gigabit connection, this would be a trunk, but the other links would likely be individual fastethernet connections in a 'switchport mode access' type of setup either to other links or the firewalls. (3) This isn't everything on our network, though it shows the important stuff. We like to control access as much as we can at the firewalls. (4) The firewalls are checkpoints and would share state over a dedicated sync vlan which isn't pictured. They'd be in a cluster configuration.

The scariest part of this diagram is that the Internet traffic coming in on one vlan would enter the same switch as the traffic we're trying most to protect. That is, physically that traffic hits the same switch before it is inspected by the firewall. Logically, though, it has to go through a firewall, but is that enough? Additionally, my company is of the opinion that you can't really trust your lan's, and they would also hit the switches first. So if VLAN hopping is a realistic problem, both Internet and LAN traffic could conceivably bypass the firewalls through some evildoer chicanery.

If it vlan hopping can be mitigated to the point of "no known attacks", then the advantages are many. There are cost savings, and really easy ways to add further redundancy. It scales pretty well, and our single points of failure actually go down compared to most alternate solutions.

Is this a bad idea from a security standpoint? Any obvious problems I'm overlooking? Is this sound from a security, stability, and scalability point of view?

Any input would be appreciated.

Fred

Reply to
fred.damstra
Loading thread data ...

VLANs aren't really that big of a deal, seriously. Plenty of pseudo-guru lamers make a big deal out of ridiculous hypothetical attacks on VLANs, usually attacks that would basically mean they 0wned the switch, in which case VLANs are the least of your problems...

Consider the @stake study commissioned by Cisco:

formatting link
or

formatting link

Reply to
Joshua Reed

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.