From: Ricardo Oliveira (rmo-mlists@eurotux.com)
Date: Thu Mar 03 2005 - 15:31:53 EST
Merrick, Carl wrote:
>I am not a pen tester and this is more of a theoretical question for the
>experts. We are in the process of installing HP BL30p blade servers which
>use the GBE2 integrated switch for network connectivity. One of the servers
>installed will be a web server which will run in the DMZ. Connectivity to
>the DMZ will be provided from the GBE2 to a port on the firewall via a VLAN.
>Other internal VLAN's will be running on the same GBE2 switch. The question
>is, how secure will this setup be? Is it possible to hack across VLANs on
>the same switch? My preferred configuration is to physically isolate web
>servers.
>
>Thanks. Carl
>
>
Carl,
AFAIK, the integrated switches aggregate the 16 (8+8?) ports from the
BL30p's in each enclosure into 4 (IIRC) ports. This is a purely
aggregation process, disregarding isolation or performance (8 servers
aggregated in 4 ports).
This means you won't get the same traffic separation you'd get in a
regular switch - although you could isolate the servers with VLANs, I
think it'd be easy to get through this isolation between all the servers
connected in these GBE switches. All the "protection" you can get in a
regular switch comes from the fact that the switch knows which ports/MAC
addresses belong to each VLAN.
Regards,
Ricardo Oliveira
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:17 EDT