[Dshield] Blades, VLANs and DMZs

Shane Presley shane.presley at gmail.com
Tue Oct 19 16:09:32 GMT 2004


Does anyone have any policies regarding blade or switch configuration
in DMZ environments?  Let's say a simple network with public
(unfiltered internet/outside firewall), DMZ, and internal.   I've seen
some organizations with policies that require that a separate physical
switches be used for each segment.  While other companies use one big
switch and VLAN.  The thinking behind the separate physical switch is
to guard against VLAN configuration errors, or cable mistakes, from
side-stepping the firewall.  Of course VLANs within a segment (VLAN
user segments) is not an issue.

My concern is actually a little different, but somewhat related.  One
client is now starting to use a lot of blade servers.  The blades all
share a GB backplane in the blade cabinet.  But they connect up to the
network using a built in switch, which can be VLANd.   Some of the
servers in this blade cabinet are on the internal network.  They know
want to add a blade that is in the DMZ network and create a VLAN
within the blade switch.

I guess I don't know enough about how the blades work yet.  But I have
some (possibly unjustified) concerns that mixing a DMZ server and
internal servers in a single blade rack could open up exposures.  If a
DMZ server is compromised, would there be ways to jump to the internal
network, without going through the firewall?

Sorry if this isn't a clear question.  Just thoughts that have been
swirling around in my head.

More information about the list mailing list