Firewalls, Layer 2 and DMZs?

Fugazi1000

With the ever increasing use of virtual servers and the possibility of usinf 802.1q to trunk VLANs around, should we still keep Layer 2 completely separate, even on DMZs? i.e. If I have a an ESX server, should I host VMs that may appear on a DMZ with public addressing at the same time as hosting a VM with an internal IP. This 'could' be properly protected by Layer 3 and above but 'may' be vunerable to Layer 2 mistakes/hacks.

Opinions?

dtlokee

I have used 802.1q trunks to create logical DMZ's and configured 802.1q trunks to the physical servers, created logical adapters using different VLANs then bridged the virtual server NIC to one of the logical adapters and have had no issues. I also use private VLANs and protected switchports to provide layer 2 isolation between devices on the same DMZ. With the ability of an ASA/PIX to support VLANs on sub interfaces you could create your DMZ using them.

There's many options, but at the heart of it if a switch using VLANs will isolate the traffic at L2 and treat each VLAN as a seperate broadcast domain, it's as secure as a seperate switch. Of course I would ensure you're following all of the other rules when it comes to securing the switches to prevent possible attacks on the switch/control plane.

Also I would add, make sure anything you are going to do does not violate the company's written security policy.

Fugazi1000

Thanks for that dtlokee. I agree technically it can be done, but is it good practice, bearing in mind that I have an opportunity to change the company policies (I wrote them originally)?