tailieunhanh - Firewalls and VLANs

One of the most common questions with regard to designing a firewall implementation is how VLANs and firewalls interact with each other | Firewalls and VLANs One of the most common questions with regard to designing a firewall implementation is how VLANs and firewalls interact with each other. Historically firewalls and VLANs went together like oil and water. Physical separation of resources for the purposes of security was a sacred cow. It was an untouchable fact in network security. This was reinforced by exploits and security issues that allowed traffic to traverse between VLANs without going through a firewall or router effectively bypassing any security that was in place. A few things have contributed to a change in thinking regarding firewalls and VLANs. First people became very comfortable with VLANs on their internal networks and started using them to segment resources logically throughout their internal network. Second people started to realize that if they used multiple DMZs to house resources of differing types they could further segment and secure their perimeter resources by placing resources with common access rules in different DMZ segments instead of just tossing everything into a single DMZ segment. The problem with creating so many DMZ segments is that doing so required an incredible expenditure in network infrastructure equipment such as switches and firewalls. After all physically separate DMZ segments required a dedicated switch and firewall interface on each DMZ segment at a minimum which frequently made the solution cost prohibitive. To address the cost issues VLANs were looked at as a viable solution. Finally switch vendors began securing their software to help prevent the circumstances typically buffer overflows that would allow traffic to traverse VLAN segments without going through the firewall or router. Separate DMZ segments are fundamentally no different than separate subnets on an internal network. On the internal network VLANs are used to logically separate subnets in lieu of physical separation. The benefits of this are well understood. It is cheaper to implement .