Is it safe for external traffic (DMZ) and internal traffic (local lan) seperated by vlans to be on the same Cisco 6509 switch?

Is it safe for external traffic (DMZ) and internal traffic (local LAN) separated by vlans to be on the same Cisco 6509 switch?
Who is Participating?
m_walkerConnect With a Mentor Commented:
When you think about security it is on many levels.
Are VLANs safe (yes and no).  If configured correctly then they can be.  If the switch is not 100% spot on then the layer3 level can be come a router. thus bypass your firewall.  if someone can connect to the switch (from outside) then the can re-program it to give more access to the insde of your network and some layer 3 switchs supprt nat to make it easier.  So the trick it to make sure its 100% locked down and IP Address are not setup where the are not needed and so on.  the physical switch for outside means that if its hacked, the can get any more then they had before.

If you layer 2 switch only marks inbound packets with the vlan ID id the ID is NOT set, then a remote user can pre-tag the packet with a different vlan id and could get vlan hop.  I use the word "could" as other things can affect this attach.
The basic idea here is...
You Inside network Vlan id 10
Remote user sends a packet with vlan 10 set.
An incorrectly setup switch sees the id 10 and puts that packet into vlan 10, then does normal routing.
Simple fix here is to drop the vlan tag ID (if set) and reset to the vlan attached to that port.
Then the hacker puts vlan id 10 and then another vlan id 10,  (or maybe the switch does not drop the vlan tag, it simply adds the new one.  Then when the packet exists and the vlan id is dropped, the original one still exists, so a down stream switch (my have a mis-config).

To use a single switch on the outside and vlans, make sure its locked down 100%.  Make sure the outside vlan is un-numbered (no ip address on the vlan) , Make sure the outside vlan goes is ONLY trunked to your firewall.  Make sure you vty connections can only come from an inside interface and restirct the IP as well.  
Make sure you fully understand how the swtich will deal with vlan tagging and how that could have an affect some where else in your network.
At the very least dont use any real/routeable IP addresses on the switch, eg: 10.x.x.x 172.16-172.31 at least that way most interent routes will drop the packet if sent to those IP Addresses.

I think you get the picture, you can and it can be safe, but you must get the config 100% and you must trust the vlan process that the switch does.

At the end of the day its risk management.  This means nothing is 100% safe, but is this good enough for the level of security that we need.  To be 100% safe you would not connect to the internet for starters.... but thats not an option.

good luck.
I think it depends on what you mean by safe.
If you have 2 vlans and the switch is layer 2 only (ie: wont route between vlans), and have the vlans meet at a firewall, then this should be OK.

While vlans are getting better and the devices are getting better, there are still some tricks that can sometimes allow a vlan hop.  So it is important to ensure your setup of the vlans and routing is spot on.

If the switch is a layer3 switch, DONT assign an ip address to the DMZ vlan, and avoid the inside vlan having an IP Address if you can.  Make sure these meet at a firewall.

I still prefer to physically seperate, but do use vlans for the set of DMZ zones I have (I have 3 at the moment).  where all 3 vlans are trunked to my firewall and non of the DMZ vlans on the switch have an IP Assigned to them - Layer 2 only.  Then my inside networks are on physically seperate switchs.

Safe and secure depends really one what you are trying to protect agenst.

eg: If you have a web server in the DMZ.  Your firewall allows port 80 to the web server.  At this point vlans are fine as the traffic is via the firewall to the web server only.  BUT what happens if the hacker can run code on your web server.  What can the web server get access to.  If the web server is allowed to open a connection to you inside network (eg: NT Username/Password check) then the hacker on your web server can do the same.  The VLAN is no less secure as your rules allowed it to happen.  I do my best to say that a DMZ computer can NOT open a conection to anyware, simple respond to inbound connections.  This way if a hacker gets on, they can back channel data on their inbound connection, but cant open a new connection to  the net or other networks.

John MeggersNetwork ArchitectCommented:
I'd wager the biggest potential problem is misconfiguration, not actual VLAN-hopping attacks, and for that reason, I'd be inclined to put the DMZ on its own switch.  But, I agree, as long as there is no VLAN interface for the DMZ VLAN, it should be OK.
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

Agree with above.
I'm OK with putting DMZ and local traffic on VLAN's off the same switch, just not External Public interfaces and DMZ and Internal like I've seen some try to do.... (with and without actual vlan's -- oh, my!)
kns_adminAuthor Commented:
Thanks for the comments.

Our case is a website/app server with a public IP available to public which connects to a database server on our local LAN. The traffic between internal and external servers is controlled by our firewall.

Currently we have separate switches for our external public IP range.The idea is to get rid of separate switches and run everything on Core Switch via VLANs. The would be make management somewhat easier.

Cisco says that VLANs are as safe as physical ports but then goes on to talk about VLAN hopping and STP vunerablitites. This is where my confusion lies?  
kns_adminAuthor Commented:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.