Solved

How safe are VLANs?

Posted on 2008-06-15
8
1,692 Views
Last Modified: 2009-06-05
Hey folks.

I have my clients behind a pfsense firewall. There are times, for testing purposes, that I would want to connect someone on the "red" side of the firewall (I.e. before it).

I have an HP Procurve 1800-24G with VLAN support.

How secure are VLANs? Is this OK practise to do this (split half a switch "outside" and half a switch "inside")?

Cheers
0
Comment
Question by:jonnytabpni
8 Comments
 
LVL 13

Expert Comment

by:kdearing
ID: 21788131
I've done it before with no problems.
You have to make sure that the switch can't route between the VLANs.
According to the specs, the 1800 is Layer2 only, so you're good.
0
 
LVL 6

Accepted Solution

by:
Nyah247 earned 168 total points
ID: 21788220
You can do it...  But if your switch were to get compromised your whole network would be at risk instead of just an external router/switch.  Instead I would attach a switch to your internal (DMZ) interface on your firewall then attach your client to this from the patch panel.  

Honestly it is a great risk to have workstations flapping in the breeze.  It doesn't take much to get your company's whole external IP range to get black listed if the workstation happened to get some malware or a virus.
0
 

Author Comment

by:jonnytabpni
ID: 21788422
[quote]Instead I would attach a switch to your internal (DMZ) interface on your firewall then attach your client to this from the patch panel.  [/quote]

can you please explain this. im sorry i dont understand.

Currently the switch is connected to the "green" interface of the pfsense firewall and the "red" interface is connected to a router. I was wanting to place a test machine on the red SIDE of the firewall. I don't understand why I would need a DMZ interface coming out of the firewall
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 13

Assisted Solution

by:kdearing
kdearing earned 166 total points
ID: 21788466
Think of a DMZ (De-Militarized Zone) as the 'middle' side of the firewall, it's orange.
It is normally not fully protected, like the 'green' side, but you can set up rules restricting access.

The idea is if a device in the DMZ gets compromised, the rest of your network is still secure.
The primary purpose is for devices that need to be accessed from the internet, like web servers, ftp servers, front-end email servers, etc.

On many firewalls it is a dedicated port.
On some firewalls it is an optional config setting that turns one of the other ports into a DMZ.
0
 
LVL 13

Expert Comment

by:kdearing
ID: 21788474
Forgot to add that Nyah247's idea is a very good one.
That's the best way to accomplish what you want.
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 166 total points
ID: 21790271
 VLAN security on switches can be pretty hard to break - one failure mode would be to overload the switch with large amounts of ARP traffic, so its MAC table overflows - many switches drop to "hub" mode in cases like that which allows you free access to the other vlans; if your ports are bound to a single mac address (which cisco kit can do, to give one example) then you can avoid that, but you should investigate with the hardware you chose if there are any failure modes that allow traffic between vlans; you should also give serious stares to anything on a trunk port, which could act as an inter-vlan router if configured to (or if a failure mode there can be exploited to force the device to become a simple router or packet reflector)

  The financial cost of a completely separate switch to handle dmz traffic is marginal compared to buying a bigger switch (ie, with more ports) - for a small enough dmz set, it can devolve to a simple crossover cable, which tends to be much much cheaper :)

  If your firewall is software (rather than an appliance) then its easier and much more secure to add a few more Ethernet cards and use crossovers, effectively giving each untrusted host its own dmz.
0
 
LVL 13

Expert Comment

by:kdearing
ID: 23034310
This question is still open.
Is the problem resolved?
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cant browse or ping a particular URL 2 32
Line cards, Supervisor, Control plane 7 37
Wired Network vs Wireless 12 58
Non-jumbo host to jumbo enabled switch: Will it work? 3 19
For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question