?
Solved

How safe are VLANs?

Posted on 2008-06-15
8
Medium Priority
?
1,715 Views
Last Modified: 2009-06-05
Hey folks.

I have my clients behind a pfsense firewall. There are times, for testing purposes, that I would want to connect someone on the "red" side of the firewall (I.e. before it).

I have an HP Procurve 1800-24G with VLAN support.

How secure are VLANs? Is this OK practise to do this (split half a switch "outside" and half a switch "inside")?

Cheers
0
Comment
Question by:jonnytabpni
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 13

Expert Comment

by:kdearing
ID: 21788131
I've done it before with no problems.
You have to make sure that the switch can't route between the VLANs.
According to the specs, the 1800 is Layer2 only, so you're good.
0
 
LVL 6

Accepted Solution

by:
Nyah247 earned 672 total points
ID: 21788220
You can do it...  But if your switch were to get compromised your whole network would be at risk instead of just an external router/switch.  Instead I would attach a switch to your internal (DMZ) interface on your firewall then attach your client to this from the patch panel.  

Honestly it is a great risk to have workstations flapping in the breeze.  It doesn't take much to get your company's whole external IP range to get black listed if the workstation happened to get some malware or a virus.
0
 

Author Comment

by:jonnytabpni
ID: 21788422
[quote]Instead I would attach a switch to your internal (DMZ) interface on your firewall then attach your client to this from the patch panel.  [/quote]

can you please explain this. im sorry i dont understand.

Currently the switch is connected to the "green" interface of the pfsense firewall and the "red" interface is connected to a router. I was wanting to place a test machine on the red SIDE of the firewall. I don't understand why I would need a DMZ interface coming out of the firewall
0
Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.

 
LVL 13

Assisted Solution

by:kdearing
kdearing earned 664 total points
ID: 21788466
Think of a DMZ (De-Militarized Zone) as the 'middle' side of the firewall, it's orange.
It is normally not fully protected, like the 'green' side, but you can set up rules restricting access.

The idea is if a device in the DMZ gets compromised, the rest of your network is still secure.
The primary purpose is for devices that need to be accessed from the internet, like web servers, ftp servers, front-end email servers, etc.

On many firewalls it is a dedicated port.
On some firewalls it is an optional config setting that turns one of the other ports into a DMZ.
0
 
LVL 13

Expert Comment

by:kdearing
ID: 21788474
Forgot to add that Nyah247's idea is a very good one.
That's the best way to accomplish what you want.
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 664 total points
ID: 21790271
 VLAN security on switches can be pretty hard to break - one failure mode would be to overload the switch with large amounts of ARP traffic, so its MAC table overflows - many switches drop to "hub" mode in cases like that which allows you free access to the other vlans; if your ports are bound to a single mac address (which cisco kit can do, to give one example) then you can avoid that, but you should investigate with the hardware you chose if there are any failure modes that allow traffic between vlans; you should also give serious stares to anything on a trunk port, which could act as an inter-vlan router if configured to (or if a failure mode there can be exploited to force the device to become a simple router or packet reflector)

  The financial cost of a completely separate switch to handle dmz traffic is marginal compared to buying a bigger switch (ie, with more ports) - for a small enough dmz set, it can devolve to a simple crossover cable, which tends to be much much cheaper :)

  If your firewall is software (rather than an appliance) then its easier and much more secure to add a few more Ethernet cards and use crossovers, effectively giving each untrusted host its own dmz.
0
 
LVL 13

Expert Comment

by:kdearing
ID: 23034310
This question is still open.
Is the problem resolved?
0

Featured Post

Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

766 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question