Extending DMZ VLAN

[Garrick]

Hello All,

In need of an impartial judge who has more knowledge than I do to help solve a debate I have with my manager.  Currently we have a 3120 sitting on the edge that has a connection to a 5520 that i have 2 vlans on, one is actual pblic facing networks where servers such as Exchange edge sit and the other vlan is the 'dmz' where all traffic from those servers there must pass thru a checkpoint firewall cluster to get to the internal networks. This area is on one side of the building, but then the requirement came to build a showcase room on the other side of the building with devices sitting on the internet without doing NAT thru the firewalls. My manager wanted me to trunk the edge/dmz thru the edge switches on this side of the firewall, thru the distribution switches, into the core and then find it's way to that new room. i told him that i didn't want to do it as i had security concerns, his response was it's layer 2 and that i should get over it. eventually just ran some cat6 thru the building and put another 5520 in that room for those devices. even though it's done and over, this is one more case of the who's right and why between myself, who' been around the block a few times; and my manager who's a CS1K god and former sales guy

[normski]

Hi

These days vlan implemanetations on switches are pretty secure so I think its all right to trunk DMZ/Internet vlans across the network. From what I understand the attacker would have to physical connect to your network to carry out the majority of the attacks. If they are that close to network you have more serious problems.

I remember years ago debating with my boss over using a vlan for internet facing devices or installing new fibre. We went for the vlan option - it worked. Nothing bad happened. But I still have doubts niggling me even now as I routinely create DMZs all over the place.

Cisco used to have a feature called private vlans which I always wanted to implement but never had the money/kit.

Just my 2 pence worth

Normski

Cisco article i read years ago:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml#wp39023

[Flintstone]

Hi Garrick,

I have had these same discussions throughout my career and still do.  I have always championed that layer 2 Vlans were secure but what hasn't helped is that secure Vlans in the past have leaked traffic out to other Vlans due to badly written code etc? 

Yes, layer 2 only Vlans should be secure through a Network and we have this signed off by our security department.  I believe PCI compliance also state that layer 2 Vlans are secure?

CheerZ

[Dorian]

The remaining problem is configuration mistake.

[Michael McNamara]

The remaining problem is configuration mistake.

You hit the big issue right there.... there's no chance of your packets "spilling" out of their respective VLANs so you are secure in that respect. However, as you alluded to above, there is the potential that a misconfiguration could lead you vulnerable or expose some of your internal assets.

In the past we required all Internet facing or DMZ devices to be physically cabled to a specific switch. Over the past few years we now allow the DMZ to be extended (bridged) across our internal network.

You get comfortable with it over time... we also audit the DMZ port members a few times throughout the year to verify that nothing has been accidentally changed.

Cheers!

[bylie]

If you want some extra lockdown than maybe it might be an idea to apply MAC security on those "in the field" DMZ ports in such a way that only a specific MAC address is allowed? This ofcourse introduces some additional management overhead but might provide you with some extra peace of mind.

We're actually in the same situation, as over the years new services have continuously been added to our network which required public IP's and direct access (videoconferencing equipment, public reachable department servers, ...). At first we also didn't really know what to do with these new needs and we tried to keep these things off because we ofcourse thought it was bad design and basically unmanageble. Fast forward to today and we don't really try to fight this anymore and just provide the necessary VLAN's to where they need to be because at the end of the day we, as the IT department, are here to support our (internal) customers in their projects. Mind you we're an educational institution so I realize that this mindset might not apply to all businesses!
On the other hand we did make a separation between our own controlled and managed environment and the "others"  . For example we placed those special VLAN's into their own VRF's and firewall security zones in such a way that we still have quite some control about what goes in/out and if something "bad" should happen it stays contained.
Honestly I think that this will be the direction our network is going in, with for example IPv6 finally restoring end to end connectivity again (as it should be, no more NAT yay), SPBM which will essentially give us the opportunity to drop off any VLAN, anywhere, without the extra overhead of todays trunking configuration, ...

[Garrick]

My apologies if there is a way to respond to each individual and i just haven't found it yet.

Thanks normski! "It is an Equal failing to Trust Everybody, and to Trust Nobody" --- English Proverb ---I seem to fall into the 'Trust Nobody' part of the world but have been easing up over the last year.
Thanks Flintstone, i have been working on doing a security audit for our branch office as well.
Thanks Dorian and Michael, reviewing will be done before i connect any device and hopefully no mistakes.
Thanks bylie, the heart of the matter for me is similar, our customer is our sales team who wanted a nice room to display various videoconferencing, sbc and sip servers to their customers while having it actually function when they do demo it