Tip

Protected ports

Many network administrators have been concerned about firewall placement for quite some time. Specifically, the practice of only using firewalls at the perimeter of the network, leaving so many critical resources exposed to attack from within the LAN. The two reasons internal firewalls haven't really been widely deployed are of course 1) cost, and 2) concerns about performance in a high-speed LAN environment.

While not a silver-bullet, you should consider the use of "protected ports" or "private VLANs" or "VLAN ACLs" in your network. The beauty of these relatively novel security mechanisms is that you can implement policy at layer 2 without reconfiguring your IP subnetting scheme (which you would have to do if you put some devices on the other side of a traditional layer 3 firewall). And, you can implement these policies on your switches instead of adding devices to your network that you then have to maintain and manage. And remember, usually the lower in the OSI reference stack you go, the faster. That means layer 2 operation will usually significantly outperform layer 3 operation, but vendors have had years to tweak their layer 3 controls, so their implementation tricks may negate some of the performance gains you'd see. Of course, layer 2 operation also means you can generally forget about using any application layer filtering rules.

An example of a good use for these security mechanisms could be a typical enterprise application, where the users have

    Requires Free Membership to View

    Login

a Web interface on a server that communicates to a database server, but the users have no reason at all to connect to the database server. Isolating the database server offers some protection by preventing users from going directly to the database server and potentially viewing raw data you don't want them to see. It also protects the server from potential worm and virus traffic from infected office users.

Tom Lancaster, CCIE# 8829 CNX# 1105, is a consultant with 15 years experience in the networking industry, and co-author of several books on networking, most recently, CCSPTM: Secure PIX and Secure VPN Study Guide published by Sybex.


This was first published in December 2004

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

    Back to top