Problem solve Get help with specific problems with your technologies, process and projects.

Protected ports

A look at how some new security mechanisms can help you implement internal firewalls to increase security.

Many network administrators have been concerned about firewall placement for quite some time. Specifically, the practice of only using firewalls at the perimeter of the network, leaving so many critical resources exposed to attack from within the LAN. The two reasons internal firewalls haven't really been widely deployed are of course 1) cost, and 2) concerns about performance in a high-speed LAN environment.

While not a silver-bullet, you should consider the use of "protected ports" or "private VLANs" or "VLAN ACLs" in your network. The beauty of these relatively novel security mechanisms is that you can implement policy at layer 2 without reconfiguring your IP subnetting scheme (which you would have to do if you put some devices on the other side of a traditional layer 3 firewall). And, you can implement these policies on your switches instead of adding devices to your network that you then have to maintain and manage. And remember, usually the lower in the OSI reference stack you go, the faster. That means layer 2 operation will usually significantly outperform layer 3 operation, but vendors have had years to tweak their layer 3 controls, so their implementation tricks may negate some of the performance gains you'd see. Of course, layer 2 operation also means you can generally forget about using any application layer filtering rules.

An example of a good use for these security mechanisms could be a typical enterprise application, where the users have a Web interface on a server that communicates to a database server, but the users have no reason at all to connect to the database server. Isolating the database server offers some protection by preventing users from going directly to the database server and potentially viewing raw data you don't want them to see. It also protects the server from potential worm and virus traffic from infected office users.

Tom Lancaster, CCIE# 8829 CNX# 1105, is a consultant with 15 years experience in the networking industry, and co-author of several books on networking, most recently, CCSPTM: Secure PIX and Secure VPN Study Guide published by Sybex.

This was last published in December 2004

Dig Deeper on Campus area network

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.