PVLANs and DMZs
The PVLAN concept allows you to design a VLAN where the peers can communicate only with one (or more) specific peer, instead of full “n to n’ connectivity.
Now, why I’m not seeing people using that to deploy more secure DMZs (or simply zones)? I mean, if you’ll place a web server, a SMTP server and a DNS server on your DMZ, why should they be able to talk to each other (assuming they don’t have an specific need to do that)? If you do that, even with you web server compromised you still have the access restrictions from your firewall in place to protect the others, avoiding the old problem of stepping stones.
Is there anybody out there that is doing that?
Hi Augusto,
PVLANs also offer the option of a “community” of peers inside a VLAN (not just 1-to-1). So you can have scenarios like:
- single web server to firewall
- all of customer’s X systems in a single community inside a shared VLAN
My opinion is that we don’t see as much usage because of the typical reasons (overwork, “just get it done” mentality, security people not aware of network features and network people not aware of possible security uses, etc…)
Also, keep in mind that VLANs have a bad reputation as a security mechanism, back from the days when implementations were less mature (and the vendors even fueled that by posting disclaimers that VLANs were for broadcast reduction only). I personally think they’re a great feature and that the benefit of virtualizing the infrastructure far exceeds the potential threat of a failed VLAN implementation, especially for well-designed/deployed solutions.
Cheers,
Fernando
July 21, 2008 @ 4:28 pm