AKA "Is this stupid from a security standpoint"?
I know the mantra: "Don't use VLAN's for security". But I'm having trouble understanding whether it applies to this particular design. I proposed an alternate solution the problem I'm trying to solve in another newsgroup, and I was told, "You should be using VLAN's".
The basics: We just added a second facility and want to increase our redundancy. We have two hosts that are considered the end-all-be-all of our business, without these, we're down. We have a nice high availability configuration in place that requires they be on the same lan segment. We have also have a nice high speed ethernet link between the two facilities that accomplishes this goal, but it's caused a number of issues as far as adding further redundancy to our network.
So, I have the following solution in mind. The advantages are plentiful as far as saving money and easing expansion, but we have a major concern about it: It somewhat relies on VLAN's to separate traffic before it enters the firewall.
A diagram would probably help, and ASCII is insufficient, so I threw this together:
The scariest part of this diagram is that the Internet traffic coming in on one vlan would enter the same switch as the traffic we're trying most to protect. That is, physically that traffic hits the same switch before it is inspected by the firewall. Logically, though, it has to go through a firewall, but is that enough? Additionally, my company is of the opinion that you can't really trust your lan's, and they would also hit the switches first. So if VLAN hopping is a realistic problem, both Internet and LAN traffic could conceivably bypass the firewalls through some evildoer chicanery.
If it vlan hopping can be mitigated to the point of "no known attacks", then the advantages are many. There are cost savings, and really easy ways to add further redundancy. It scales pretty well, and our single points of failure actually go down compared to most alternate solutions.
Is this a bad idea from a security standpoint? Any obvious problems I'm overlooking? Is this sound from a security, stability, and scalability point of view?
Any input would be appreciated.
Fred