cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Combining all interfaces in one bond, how bad is this practice?

Tim Hall

Recently you contributed to the above reference post. I am in a similar situation where our network team would like me to add DMZ vlans to an already existing LACP bonded interface that supports our inside networks. I view this as a security risk. I have always practiced keeping my inside networks separated by physical interfaces from my DMZ's or Internet. This is to limit the risk of potential DDOS attacks flooding the interface. They argue that ports on the core are limited is this is the design they want to implement moving forward. Am I wrong in my thinking?

Thank you.

Tags (1)
3 Replies
Admin
Admin

Re: Combining all interfaces in one bond, how bad is this practice?

If you want Tim Hall to see this, you should:

  • Tag him correctly
  • Post this in a public space

I can move this to the correct space (and correct the post) if you wish so he can see it.

My take: I agree with you.

Having separate physical interfaces and different physical switches for different zones with different security requirements is best practice.

0 Kudos
Highlighted

Re: Combining all interfaces in one bond, how bad is this practice?

Dameon,

That would be great . Thank you for your feedback as well.

Thank you,

Paul

0 Kudos

Re: Combining all interfaces in one bond, how bad is this practice?

I agree with you as well, ideally your DMZ switches should be separate from your internal switching infrastructure such that it is physically impossible to get from a compromised DMZ system to somewhere on the inside network without going through the firewall.  By trunking internal networks with DMZ networks on the same physical interface there is potentially a path from the DMZ to the inside network that does not involve the firewall, as in the switch itself.  Read about VLAN Hopping and other VLAN-based Network Attacks  for some more background in this area.

Now with a properly-configured switch these types of attacks should not be successful, but the key word here is "should". It is still PHYSICALLY possible if there is a zero-day exploit for the switch or a new VLAN attack technique discovered.  I'll gladly take "physically impossible" since short of someone gaining physical access to your facilities (which is a whole different problem) there is no way the discovery of a new VLAN/switch exploit will help an attacker. 

One could argue that a new vulnerability could be found for the firewall itself, but I'd wager that possibility is many orders of magnitude less likely on a security-oriented device like a firewall rather than a network-oriented device like a switch.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com