Design of secure DMZ - return to main switch?

Similar Questions

• How to list the security settings for distributed virtual switches and distributed virtual exchanges

  Is there a .pl can I use to list the security settings for distributed virtual switches and distributed virtual exchanges?

  parameters such as

  Mode promiscuity (license /reject)

  Mac address changes (license /reject)

  Allows the transmission of forged (permitted /reject)

  Thank you

  Fred

  Take a look at this article from blog for the script and details - http://www.virtuallyghetto.com/2011/12/retrieving-information-from-distributed.html

• The security design: DMZ ports on internal switch - bad idea?

  Hi all

  I'm looking for a compelling - or he said is not serious - why a customer should not creator of DMZ VLAN on a cat internal-6509.

  Basic topology is a 6509 in a controller area and 2 x ASA - 5510 to active / standby. They finally agreed to start using the DMZ for different services, but because they have no other switch on the domain controller, they are happy to have these DMZ on VLANS separated on the 6509.

  Is this a security risk? (They do NOT use the 6509 as an 'outside' switch so it's something that I guess)

  How the risk can be mitigated?

  How their environments could be compromised?

  Any suggestion is appreciated. Thanks in advance,

  Mike

  I don't see a problem with this setup as:

  (1) External / DMZ is LAYER2 ONLY! Use a safety device to manage all Layer 3 (Firewall, FWSM, etc...)

  (2) you turn off the proxy arp on ALL layer 3 interfaces on the switch.

  (3) you don't give anyone access the switch unless they know what they do (understand the implications of having mixed traffic on the switch)

  (4) configure you a vlan fake, make sure that everyone knows what it is (put a name in it and it document) and make the vlan by default for your switchports.

  (5) you turn off the trunk negotiation (all ports must be configured "switchport mode trunk" or switchport mode access and also "switchport nonegotiate". If you use 802. 1 q (or isl - ugh), explicitly set the VLANs that are allowed to pass "trunk allowed vlan switchport x, y.

  (6) use VTP transparent and not trunk VLAN external to other switches, unless you know what you're doing.

  The most important is probably #3. A layer interface moved 3 or IVR and game over, you filled just Internet to your internal network. I can't emphasize enough that, if this is possible and safe if done correctly, it is VERY dangerous if you don't know what you're doing. Some consider too high of a risk to take and to believe in the physical separation to eliminate the risk. I agree, however, I understand that not all of us can afford to purchase several 6500 s.

  Another thing to consider, did you think to use VRF-Lite?

• Validation of the design of the DMZ

  Here is a summary of my current client environment30 total of physical machines. I have a data center with 3 different VLANa DMZ public face to face a company intranet and DMZ.  Security is important in this environment, and we should not go through certification and accreditation audits.  I'm afraid that the security officer will push a physical separation for each network, as by running different ESX clusters for each.  It will be very costly and inefficient, especially since both DMZ networks have 3-4 VMs each.  I wouldn't run 4 VMs on a pair of DL380 G6s simply because they are in a different trust zone!

  I propose to create a vSwitch distributed with 4 NIC team, with each vlan segmented using tagging vlan and combining the three sites on the same physical host. We can also consider having the VLAN MGMT and VMotion on these same 4 natachasery.  I already read this document and he described in detail how this could be done.

  http://www.VMware.com/files/PDF/dmz_virtualization_vmware_infra_wp.PDF

  I think we're going to need to use a product like vShield zones, or a 3rd party firewall virtual (such as Altor) to transmit our audits and satisfy the security people.  We can get the physical network interface cards on the hosts so that will provide the best separation.  I guess in a perspective of network traffic, it might be a good practice at least put the console service and VMotion on separate natachasery.

  Where should we go with VLAN here, or advise you to use natachasery on the separate virtual switches for the separation?  Finally, my question boils down to this - is my solid design and are there any additional recommendations to the execution of the three zones of different trust in a single cluster?

  Thanks in advance!

  Hello

  IS always implies that you use VLAN within your physical network to DMZ and other areas of trust... So continue to use VLANs within the virtual world.  You can't really treat the vNetwork 'less' safe as the pNetwork because it is actually NOT. It's safer, "back of the box" from a perspective of layer 2 as the vNetwork is not sensitive to the many attacks of layer 2 while pNetwork 'out of the box' is sensitive.

  If you use VLAN in the physical world and 'trust' as your pSwitches stay or are configured correctly.

  So use VLAN in the vNetwork as well. VST works fine in this case.

  However, if your DMZ is PHYSICALLY separated from your other pNetworks then maintaining this separation to help IS the DMZ pSwitch. I wouldn't take the DMZ pSwitch plugged into the pSwitch directly upstream of the ESX host and then use IS/VST. This is not correct.

  In both cases when you combine demilitarized and DMZ not trust areas on the same cluster, you need to increase your vigilance to ensure that things do not move to where they do not belong.

  Even within the same group, I tend to keep my DMZ VMs on their own host or hosts to ensure their care does not impact on the rest of the environment or at least start like that and let DRS figure the rest. I also LUN separate VMs DMZ outweigh the problems of disk IO.

  However, if you need to be compliant, your auditors MAY require a physical separation at the moment as a PCI PCI has yet to turn off any other type of orientation. This decision is left to the listener actually. That probably means that you WILL Have to physically separate. Talk to your accounts, they are there to help.

  Best regards
  Edward L. Haletky VMware communities user moderator, VMware vExpert 2009

  Now available: url = http://www.astroarch.com/wiki/index.php/VMware_Virtual_Infrastructure_Security'VMware vSphere (TM) and Virtual Infrastructure Security' [/ URL]

  Also available url = http://www.astroarch.com/wiki/index.php/VMWare_ESX_Server_in_the_Enterprise"VMWare ESX Server in the enterprise" [url]

  Blogs: url = http://www.virtualizationpractice.comvirtualization practice [/ URL] | URL = http://www.astroarch.com/blog Blue Gears [url] | URL = http://itknowledgeexchange.techtarget.com/virtualization-pro/ TechTarget [url] | URL = http://www.networkworld.com/community/haletky Global network [url]

  Podcast: url = http://www.astroarch.com/wiki/index.php/Virtualization_Security_Round_Table_Podcastvirtualization security Table round Podcast [url] | Twitter: url = http://www.twitter.com/TexiwillTexiwll [/ URL]

• Impact security to disable the content switch SSL closure alert?

  HI: I have a few problems troubleshooting of applications at the level of the SSL layer. Based on a few known bugs of IE with Cisco solutions for the content switch with SSL accelerator, we intend to disable the

  where to pass the content of the feature sends not SSL closure alert.

  Wondering if anyone out there have ideas if this (disable SSL closure alert to the server) will have an impact or if there are security holes?

  Thank you

  Ravi

  For the CSM = "close-Protocol No" tells the SSL module not

  for sending the SSL close notify alert all by closing the connection.

  One of the ramifications of this could be that IE browser client might

  not to negotiate the resumption of the SSL session for later ssl

  connection...

  This does not impair the functionality, could result in gradient

  performance from the SSL module should establish more new sessions

  instead of the resumed session.

• LiveCycle Designer: Handling complex XML returned by process Workbench LC

  Hello community,

  Location: The form XFA making a search request:

  (1) I have a LC process that has an "out" of variable of XML type.

  (2) the XML contains repetitive elements

  (3) the XFA form, makes a Web calling service to the LC process and stores the response XML ("search results") in a hidden text field.

  (4) I would now use this XML file to load a small section of the form (table) with the "search results".

  I am familiar with this method:

  -xfa.datasets.data.loadXML (tfRespXML.rawValue,, , 0, 1);

  However this re-charge the WHOLE with the XML form

  and unfortunately does not work. loadXML() on subforms/nodes!

  -> By the way the entire XML form upward and get the entire XML form + results of research as an answer is also not an option.

  Question:

  (1) Im very interested to know what, according to you, is the most convenient way to manage XML complex under a form of LC using Javascript?

  Hello

  You can call loadXML at a lower level of your dataset to keep more values, such as;

  xfa.datasets.Data.Form1.subform1.subform2.LoadXml (tfRespXML.rawValue, 0, 1);

  You can also use the Acrobat JavaScript Net object to call a Web service that returns a JavaScript object that is sometimes more convenient if you are trying to bind the data in return.

  Concerning

  Bruce

• Need help to design a query to return the lines as shown below

  Hi all

  I have say emp table. I am trying to generate an extra column where it will contain for the 3 first lines say I generates 1, then 3 rows I will generate 2 like that.

  I'm checking a number of different options, but I do not get a clear idea on how to generate.

  Grateful if someone can throw an idea about it.

  Thank you

  MK.

  Hello

  Why do you want 'SMITH', 'ALLEN' and 'QUARTER' for are given the number 1?  Why not, say, "SMITH", "JONES" and "MILLER"?   If you use words like 'first' or 'next' in your explanation, explain what they mean, since there are many different ways to sort the lines.

  Maybe you care even with 3 employees are assigned the number 1, so long as exactly 3 get number 1, another 3 get number 2, and so on.

  I'm guessing you want something like this:

  SELECT CEIL (ROW_NUMBER () OVER (ORDER BY empno)

  / 3

  ) AS r_num

  empno, ename, job, mgr, hiredate, sal, comm, deptno

  WCP

  ORDER BY empno

  ;

  ROWNUM is a keyword from Oracle, this is not a column name good.  I used r_num instead.  (According to your limit, you can use ROWNUM to get r_num.)

• I bought Creative Suite 5 Design Premium for Mac, and now I switched to Windows. What can I do to get the Creative Suite on my computer?

  I got my number and my old CD

  You would need to acquire a Windows version of the software.  There is not much you can do short of find anyone who sells this version for Windows and try your luck at the purchase by them.  I don't think that there is a kind of software emulation of Mac for Windows machines, if I'm wrong.  Adobe does not sell older versions of their software and they don't support platform swap for their latest version (CS6), which will probably finish in time as history buries the Creative Suite of products range.

• I have cs4 premium design that has been transformed into design cs5.5 premium. Can I switch to cs6?

  It does not recognize my cs5 upgrade serial number.

  I suppose that this would be considered in cs5, even if she has been upgraded to cs4 versions.

  Long answer: Yes.

  Mylenium

• SG300 voice vlan problem with UC520

  Salvation of the Forumers

  My problem statement:

  -Secretary referred to topology.png, this is how my network like structure look

  -the IP phone after startup can not connect, so it cannot download the XML of UC520 configuration file. problem switching suspects.

  -my configuration illustrated in topology.png and my config show vlan as the voice setting.png voice vlan

  -My requirement is switch SG300 unique switchport to carry data VLANs and vlan voice.

  -What is the mode of connection for voice siwth VLAN an IP phone + data must be set up? is it switchport voice vlan vvid switchport voice vlan dot1p, switchport voice vlan unidentified or vlan switchport voice no further action over requirement?

  Thank you

  Noel

  Christmas morning,

  Sorry for the late reply, things have been very hectic in here lately

  1. Why use trunk? the UC520 don't have voice vlan (vlan 20)

  Do you mean that data THAT VLAN is handled by another device? Again I would like to leave as a trunk in order to manage the CPU through the data VLAN. (Except for security or other reasons you would choose differently of course)

  2. the UC520 got CUE (voicemail), how should I design the uplink service for the main switch module?

  Nothing in particular needs to be done for this, CUE is processed and routed inside the UC520, the vlan (default ID = 90) CUE is used if you have another LANDMARK in the network

  1. I guess I did: swithcport the tag vlan vlan unlabelled 20, 10. is it ok for this setting?

  If the Vlan on the switch and the UC520 voice has been defined as VLAN 20 (default value = VLAN 100) it's perfect. Check if the CPU and the switch, the voice VLAN ID is set to 20.

  1 so if I have just the phone to vlan 20 (vlan voice), create the policy of network LLDP?

  If you are ready to configure the VLANS manually on the phone, you don't need politics LLDP, thats right.

  Politics LLDP is used to having phones automatically choose the VLAN you set, so you do not need to set it manually.

  I hope that answers your questions?

  Best regards

  Nico glacier

  Senior Network Engineer - CCNA

• DMZ virtualization and network design. UCS + VMWARE

  Until now, we had a network physically segmented with internal and external vtp different areas/zones. Keys "inner area" hear a VLAN and keys "outer zone" along a VLAN different. VLANs are not propagated between different areas for security reasons, are isolated.

  Currently, we started to work with UCS + VMWARE, and we are facing difficulties. According to the previous model, if virtualize us servers within the internal battery of the UCS area, we cannot not virtualize servers within the outer external in the same UCS, since I wish to propagate VLAN switches area internal as well as for the farm of the UCS, mix. As a result, the isolation would be lost.

  I'm reviewing my network base, in order to adapt current infrastructure to the new with UCS + VMWARE, without missing any point security.

  My main point, is whether it is possible to virtualize external virtual machines and internal area in the same UCS, without compromising the security of my network.

  Could you give me some advice or design guide?

  Kind regards

  Hello-

  You are right that upward through UCS 1.4 all them VLAN should be available on the switches upstream.  However, UCS 2.x introduced a feature named "Disjoint L2."  By using this feature, you will be able to connect interconnect fabric to your internal network and the DMZ, then configure the VLANs to blades.

  http://www.Cisco.com/en/us/docs/unified_computing/UCS/SW/GUI/config/Guide/2.0/b_UCSM_GUI_Configuration_Guide_2_0_chapter_010101.html

  Matthew

• Only AAS, 2 inside the kernel switches (HSRP) Best Practice Design

  Hello

  I design a N/W with following equipment.

  1: 2 * carrots (4503)

  2: single Firewall ASA 5520

  I have following design options;

  DRAWING 1:

  1. Basic switches use HSRP
  2. VLANs are active on a (primary) switch at a time
  3. CONNECT THE TWO CŒURS WITH ASA
  • ASA E0 - outside (routers) switch
  • ASA (redundant interface = E1 + E3) R1 - the two nuclei (HSRP)
  • ASA E1 - Core 1 (F3/48) + ASA E3 - Core 2 (F3/48)
  • ASA E2 - switch DMZ

  DESIGN 2:

  1. Basic switches use HSRP
  2. VLANs are active on a (primary) switch at a time
  3. CONNECT THE TWO CŒURS FOR LAYER 2 SWITCH (INNER AREA)
  4. CONNECT THE LAYER 2 SWITCH TO ASA E1

  The first options looks better avoid me point single failure (Layer 2 of insdie switch).

  Unfortunately, I'm short on time and do not currently have access to the LAB.

  Please

  1. Share your experience and suggest which option is preferable
  2. Advantages, disadvantages during the failover hsrp, other features, etc.
  3. indicate if there is an alternate option
  4. Precautions

  BR,

  ABDUL MAJID KHAN

  Your "redundant ASA interface" is not really. Only one ASA has no real redundancy. I guess you could make a "inside the 1" and "inside 2", but they would have separate IP addresses and within hosts would not automatically from one to the other. " I would say that the complexity that introduced more than offset the second idea to have a small switch L2 VLAN between your ASA unique within the interface and your L3 core switches.

  That's why I prefer the second option. A switch L2 deemed unchanged configuration being done is quite reliable - I regularly fall on them with years of availability. You can also add a quasi redundancy in option 2 by tying together your ASA E1 interfaces and E3 in an etherchannel (requires a Software ASA 8.4 or later version). that option is not possible with option 1 (at least not in the two basic switches) as an Etherchannel are two IOS switches at one end.

• return of swf loaded in main?

  Hello! I have some SWF files I want to combine: I the main.swf that contains buttons, and I want each button to drive to an external swf. I already did it.

  What I don't know is how to return to main.swf. I want all the external SWF has a button called "Return to menu" and go back to main.swf... Is this possible?

  Thanks in advance for any help!

  the main timeline of your loaded swf file:

  unload_btn.addEventListener (MouseEvent.Click, unloadF);

  function closeF(e:Event):void {}

  this.dispatchEvent (new Event ("unloadE"));

  }

  ///////////////////////////////////

  in your main swf file:

  var loadKOK:Loader = new Loader();

  var urlKOK:URLRequest = new URLRequest ("KOK-with-grafics - FINAL .swf");

  loadKOK.contentLoaderInfo.addEventListener (Event.COMPLETE, loadCompleteF);

  var loadEurw:Loader = new Loader();

  var urlEurw:URLRequest = new URLRequest ("corners-with-grafics - FINAL .swf");

  loadEurw.contentLoaderInfo.addEventListener (Event.COMPLETE, loadCompleteF);

  function loadCompleteF(e:Event):void {}

  MovieClip (e.target.loader.content) .addEventListener ("unloadE", unloadF);

  }

  function unloadF(e:Event):void {}

  Loader (e.currentTarget.parent) .unloadAndStop ();  in case of publication for fp10 + something else: Loader (e.currentTarget.parent) .unload ();

  }

  kok.addEventListener (MouseEvent.CLICK, simataK);

  function simataK(event:MouseEvent):void

  {

  loadKOK.load (urlKOK);

  addChild (loadKOK);

  }

  eurw.addEventListener (MouseEvent.CLICK, kermataE);

  function kermataE(event:MouseEvent):void

  {

  loadEurw.load (urlEurw);

  addChild (loadEurw);

  }

• design of network of vSphere - thoughts?

  Hi all

  Looking for some advice/confirmation on a generation, that I am putting together

  Material Blade C3000, 4 switches Passhru

  x 2 servers BL460c G6 with 6 CARDS each.

  Design is similar to the following,

  2 NIC team for production, service on the same vSwitch0, thoughts on this console?

  1 NETWORK adapter on each host for Vmotion

  x 2 card NETWORK ISCSI SAN and SC (ISCSI are not used before just FC)

  1 NETWORK DMZ map on each host

  It work ok? Using PassThru to keep things simple and main switch patch and DMZ appearance.  No security concerns?

  Look forward to the comments.

  See you soon

  Use only 2 NIC for iSCSI... no SC.

  If you have 4 NIC free and you might consider (if possible) to use the VLAN tagging for vMotion, DMZ, management, LAN on the same vSwitch.

  Then for each group of port use the tag VLAN right and bind it on different NIC

  André

• DMZ and PIX failover

  Hello

  I'm pretty happy with the tipping of inside and outside interfaces - i.e. the backup PIX inherits the IP address and MAC address of the main unit. However, what about the DMZ interface? Which also inherits the IP address and MAC of the primary unit?

  In a design of failover DMZ with only a couple of servers on the DMZ, you connect two PIX DMZ interfaces into a common switch (same VLAN of course!) and then plug servers?

  Pretty basic questions, I don't know, but I cannot find an answer to this on cco.

  Best regards, Steve

  Hi Steve,.

  Yes... DMZ interfaces inherited also the IP and MAC address of the primary PIX.

  In this scenario, even if you have a server you need to plug the 2 PIX on a switch and then the server on the same VLAN... This will ensure the physical accessibility of the server at the same time PIX. In case you have only a single connection, you must change the cable manually, when a PIX fails, which is a big headache...

  I hope this helps...

  the rate of answers if found useful!