Solved

How safe are VLANs?

Posted on 2008-06-15
8
1,687 Views
Last Modified: 2009-06-05
Hey folks.

I have my clients behind a pfsense firewall. There are times, for testing purposes, that I would want to connect someone on the "red" side of the firewall (I.e. before it).

I have an HP Procurve 1800-24G with VLAN support.

How secure are VLANs? Is this OK practise to do this (split half a switch "outside" and half a switch "inside")?

Cheers
0
Comment
Question by:jonnytabpni
8 Comments
 
LVL 13

Expert Comment

by:kdearing
ID: 21788131
I've done it before with no problems.
You have to make sure that the switch can't route between the VLANs.
According to the specs, the 1800 is Layer2 only, so you're good.
0
 
LVL 6

Accepted Solution

by:
Nyah247 earned 168 total points
ID: 21788220
You can do it...  But if your switch were to get compromised your whole network would be at risk instead of just an external router/switch.  Instead I would attach a switch to your internal (DMZ) interface on your firewall then attach your client to this from the patch panel.  

Honestly it is a great risk to have workstations flapping in the breeze.  It doesn't take much to get your company's whole external IP range to get black listed if the workstation happened to get some malware or a virus.
0
 

Author Comment

by:jonnytabpni
ID: 21788422
[quote]Instead I would attach a switch to your internal (DMZ) interface on your firewall then attach your client to this from the patch panel.  [/quote]

can you please explain this. im sorry i dont understand.

Currently the switch is connected to the "green" interface of the pfsense firewall and the "red" interface is connected to a router. I was wanting to place a test machine on the red SIDE of the firewall. I don't understand why I would need a DMZ interface coming out of the firewall
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 13

Assisted Solution

by:kdearing
kdearing earned 166 total points
ID: 21788466
Think of a DMZ (De-Militarized Zone) as the 'middle' side of the firewall, it's orange.
It is normally not fully protected, like the 'green' side, but you can set up rules restricting access.

The idea is if a device in the DMZ gets compromised, the rest of your network is still secure.
The primary purpose is for devices that need to be accessed from the internet, like web servers, ftp servers, front-end email servers, etc.

On many firewalls it is a dedicated port.
On some firewalls it is an optional config setting that turns one of the other ports into a DMZ.
0
 
LVL 13

Expert Comment

by:kdearing
ID: 21788474
Forgot to add that Nyah247's idea is a very good one.
That's the best way to accomplish what you want.
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 166 total points
ID: 21790271
 VLAN security on switches can be pretty hard to break - one failure mode would be to overload the switch with large amounts of ARP traffic, so its MAC table overflows - many switches drop to "hub" mode in cases like that which allows you free access to the other vlans; if your ports are bound to a single mac address (which cisco kit can do, to give one example) then you can avoid that, but you should investigate with the hardware you chose if there are any failure modes that allow traffic between vlans; you should also give serious stares to anything on a trunk port, which could act as an inter-vlan router if configured to (or if a failure mode there can be exploited to force the device to become a simple router or packet reflector)

  The financial cost of a completely separate switch to handle dmz traffic is marginal compared to buying a bigger switch (ie, with more ports) - for a small enough dmz set, it can devolve to a simple crossover cable, which tends to be much much cheaper :)

  If your firewall is software (rather than an appliance) then its easier and much more secure to add a few more Ethernet cards and use crossovers, effectively giving each untrusted host its own dmz.
0
 
LVL 13

Expert Comment

by:kdearing
ID: 23034310
This question is still open.
Is the problem resolved?
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now