How safe are VLANs?

Hey folks.

I have my clients behind a pfsense firewall. There are times, for testing purposes, that I would want to connect someone on the "red" side of the firewall (I.e. before it).

I have an HP Procurve 1800-24G with VLAN support.

How secure are VLANs? Is this OK practise to do this (split half a switch "outside" and half a switch "inside")?

Who is Participating?
Nyah247Connect With a Mentor Commented:
You can do it...  But if your switch were to get compromised your whole network would be at risk instead of just an external router/switch.  Instead I would attach a switch to your internal (DMZ) interface on your firewall then attach your client to this from the patch panel.  

Honestly it is a great risk to have workstations flapping in the breeze.  It doesn't take much to get your company's whole external IP range to get black listed if the workstation happened to get some malware or a virus.
I've done it before with no problems.
You have to make sure that the switch can't route between the VLANs.
According to the specs, the 1800 is Layer2 only, so you're good.
jonnytabpniAuthor Commented:
[quote]Instead I would attach a switch to your internal (DMZ) interface on your firewall then attach your client to this from the patch panel.  [/quote]

can you please explain this. im sorry i dont understand.

Currently the switch is connected to the "green" interface of the pfsense firewall and the "red" interface is connected to a router. I was wanting to place a test machine on the red SIDE of the firewall. I don't understand why I would need a DMZ interface coming out of the firewall
7 new features that'll make your work life better

It’s our mission to create a product that solves the huge challenges you face at work every day. In case you missed it, here are 7 delightful things we've added recently to monday to make it even more awesome.

kdearingConnect With a Mentor Commented:
Think of a DMZ (De-Militarized Zone) as the 'middle' side of the firewall, it's orange.
It is normally not fully protected, like the 'green' side, but you can set up rules restricting access.

The idea is if a device in the DMZ gets compromised, the rest of your network is still secure.
The primary purpose is for devices that need to be accessed from the internet, like web servers, ftp servers, front-end email servers, etc.

On many firewalls it is a dedicated port.
On some firewalls it is an optional config setting that turns one of the other ports into a DMZ.
Forgot to add that Nyah247's idea is a very good one.
That's the best way to accomplish what you want.
Dave HoweConnect With a Mentor Software and Hardware EngineerCommented:
 VLAN security on switches can be pretty hard to break - one failure mode would be to overload the switch with large amounts of ARP traffic, so its MAC table overflows - many switches drop to "hub" mode in cases like that which allows you free access to the other vlans; if your ports are bound to a single mac address (which cisco kit can do, to give one example) then you can avoid that, but you should investigate with the hardware you chose if there are any failure modes that allow traffic between vlans; you should also give serious stares to anything on a trunk port, which could act as an inter-vlan router if configured to (or if a failure mode there can be exploited to force the device to become a simple router or packet reflector)

  The financial cost of a completely separate switch to handle dmz traffic is marginal compared to buying a bigger switch (ie, with more ports) - for a small enough dmz set, it can devolve to a simple crossover cable, which tends to be much much cheaper :)

  If your firewall is software (rather than an appliance) then its easier and much more secure to add a few more Ethernet cards and use crossovers, effectively giving each untrusted host its own dmz.
This question is still open.
Is the problem resolved?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.