Hey guys, i was recently designing a network and I always suggested to have DMZ vlans hosted on a separate switches, with only L3 termination on an internet-facing firewall. I thought it was important not to let DMZ vlans to span into inside switching fabric. The risks I see are:
- VLAN-hopping attacks
- human errors (somebody connecting a host with a trunk to DMZ and INSIDE vlans at the same time.
Until I tried to sell it to my customer and failed. He thinks DMZ, inside and any other VLANs are OK to span into entire switching fabric, including DMZ, core and access switches. Based on this, I wondering about two things:
- is this really risk free to span DMZ VLANs everywhere and i'm imagining the risks?
- Is there any network design guides which outline how exactly DMZs and Internet-borders need to be built to be secure?
No comments:
Post a Comment