LAN and DMZ on same switch

[heyjim]

As in the title - is it possible to have a LAN and DMZ on the same physical switch?

I'm hoping that something like this is possible?

We're running a SonicWALL TZ215 and Hyper-V on our server which I believe may also need tweaking with virtual switches etc?

Any help appreciated.

Thanks

 

[RadiclDreamer]

Should be possible, you will need to have trunks setup on each port along the way as well as your server will need to support dot1q trunking.

 

[heyjim]

Should be possible, you will need to have trunks setup on each port along the way as well as your server will need to support dot1q trunking.

Sounds complicated!

The public server in the DMZ will also need to be able to talk to a database server on the LAN - not sure if that complicates things or not?

 

[seepy83]

Like RadiclDreamer said, you can do this with VLANs (802.1Q / dot1q). Depending on your requirements, that may or may not provide adequate security. Along the same lines, it also looks like you'll be hosting VMs from multiple security zones (DMZ and LAN) on the same host/hypervisor, which also has the potential to expose you to additional risk.

 

[Mushkins]

As long as your switch supports VLANs, you can definitely do this with the equipment you have.

 

[RadiclDreamer]

Sounds complicated!

The public server in the DMZ will also need to be able to talk to a database server on the LAN - not sure if that complicates things or not?

Not really, but you will need switches that support vlans and dot1q trunks. Also, is your server a true server or a desktop pc running as a server? If its a real server it will almost certainly have a network card that supports trunking.

 

[smakme7757]

Why can't you make the DMZ with Sonic wall?
Currently i run the home version of the Sophos UTM in Hyper-V and it's that VM which controls my entire network.

Although my setup is virtual i will explain it as if it was a physical PC.
1 NIC = WAN
1 NIC = LAN
1 NIC = DMZ

three separate networks, granted you need an extra NIC, this is where VLAN can save you some cash, however mine is virtual so I'm not spending any more money on NICs. Firewall rules control traffic in and out of each zone.

I find that is a much easier way than setting up VLANs and it will allow for more control as you're running the DMZ directly off a UTM. I havn't tried SonicWall, but I would have used that to create the DMZ unless you have no choice but to use VLANs or if Sonicwall doesn't have that kind of functionality.

**You would of course need a separate dedicated NIC in the hyper-v server which is dedicated to the DMZ. So you create a new virtual switch on that Hyper-V server.

 

[heyjim]

Yep, our switch is 802.1Q (Netgear GS724TP).

Also, is your server a true server or a desktop pc running as a server?

Real server - Dell PE R710.

Why can't you make the DMZ with Sonic wall?

That was my original idea - X0 LAN & X2 DMZ. It just wasn't sure if the 2 cables coming from X0 & X2 could plug into the same switch and work?

Basically we want to have a web server (viewable to the public) and a SQL server on the LAN which holds the data.
Our end goal is to limit access to the rest of our network in the event the web server was comprimised.

 

[smakme7757]

Yep, our switch is 802.1Q (Netgear GS724TP).



Real server - Dell PE R710.



That was my original idea - X0 LAN & X2 DMZ. It just wasn't sure if the 2 cables coming from X0 & X2 could plug into the same switch and work?

Basically we want to have a web server (viewable to the public) and a SQL server on the LAN which holds the data.
Our end goal is to limit access to the rest of our network in the event the web server was comprimised.

Ideally you would have both networks connected to different switches, so they are physically separated.

What I would do if I was you. I would use a different subnet for the public facing services that you want in the DMZ. So you separate the networks logically, forcing packets through the SonicWall router. That in turn allows Sonicwall to filter the packets however you set it up.

For example:
172.16.0.0 = LAN
10.0.0.0 = DMZ

Define both of those networks in Sonicwall (Again, i havn't used SonicWall). Setup firewall profiles that only allow each subnet to access the WAN.

Once that is done and setup perfectly. I.e you cannot access the DMZ from the LAN nor the LAN from the DMZ. Then you can work from there if you need LAN to DMZ connectivity, say, from a maintenance machine.

You could define a specific LAN machine, for example, 172.16.0.99 and only allow that machine to access the DMZ zone using specific services. You have to keep in mind that that machine would then become the weakest link and could act as a router between the two networks.

That way should solve your problem without the need for any complex networking or extra hardware.

That would also give you lots of log data and IDS data from the SonicWall as everything will be passing through it. If an attacker gets into the webserver and launches a portscan or some sort of worm, then *hopefully* the IDS in Sonicwall will identify it and the IPS will stop it . At least that's the plan.

 

[imagoon]

That was my original idea - X0 LAN & X2 DMZ. It just wasn't sure if the 2 cables coming from X0 & X2 could plug into the same switch and work?

Yes, using vlans, 802.1Q etc. It isn't complicated. I consider it one of the less complicated network configurations to setup. You don't even need multiple cables from the firewall if it also supports vlans.

You would create 2 sub-interfaces on the firewall (sub interfaces live on an interface IE "port 1")
Numbers here are example only.
Assign LAN to tagged vlan 100
Assign DMZ to tagged vlan 600

On the switch, set the firewall port to trunk, allow 100,600
On the virtual server switch port, trunk, allow 100,600
Any clients: "Access, untagged 100"
On the server configure the network card to support vlans, create 100 and 600. Obviously how this is done varies based on the OS. VMWare is really simple. Hyper-V varies on a bit annoying to simple depending on the version.
Inside the VM Hypervisor, attach the VM to the correct "Network"

 

[imagoon]

Ideally you would have both networks connected to different switches, so they are physically separated.

Or use vlans to accomplish the exact same thing with less gear.

 

[smakme7757]

Or use vlans to accomplish the exact same thing with less gear.

Very true!

Yes, using vlans, 802.1Q etc. It isn't complicated. I consider it one of the less complicated network configurations to setup. You don't even need multiple cables from the firewall if it also supports vlans.

You would create 2 sub-interfaces on the firewall (sub interfaces live on an interface IE "port 1")
Numbers here are example only.
Assign LAN to tagged vlan 100
Assign DMZ to tagged vlan 600

On the switch, set the firewall port to trunk, allow 100,600
On the virtual server switch port, trunk, allow 100,600
Any clients: "Access, untagged 100"
On the server configure the network card to support vlans, create 100 and 600. Obviously how this is done varies based on the OS. VMWare is really simple. Hyper-V varies on a bit annoying to simple depending on the version.
Inside the VM Hypervisor, attach the VM to the correct "Network"

I like this solution Imagoon. It's actually very clean and straight forward. +1

 

[heyjim]

So I've found this setting which seems to allow me to create an interface and assign it to a parent interface.

Can any number be used for the VLAN tags? E.g, 1 and 2?

And I assume I could just leave the current LAN as it is and create the DMZ VLAN?

 

[imagoon]

So I've found this setting which seems to allow me to create an interface and assign it to a parent interface.

Can any number be used for the VLAN tags? E.g, 1 and 2?

And I assume I could just leave the current LAN as it is and create the DMZ VLAN?

1 and 2 works. 1 is typically special however and there is the chance that garbage from another vlan could be dumped in to it if you wire / misconfigure something because 1 is normally "untagged." It is generally better to tag everything. If you don't it may not be an issue.