VLANs are not for security again

I have commented before about VLANs, but it was applicable again at work on Friday. We are working with a IBM HS20 BladeCenter environment, which places all servers behind two Gigabit switches. A server could be attached to either or both switches, which in our case one was in the DMZ and one was attached to the normal network. A server could not have multiple connections to the same switch or have direct connection to the core switches.

Having set up the context, here was the dilemma. Part of project, the designers designed two connections for each servers. One for public communications and one more private communications for Notes replication for the main domino servers; additionally there a few servers that only had connections in the DMZ. The problem is somewhat evident – a need for three switches where only two could exist. The answer according to the Notesconsultant was place the private communication on the DMZ and “protect” it with a VLAN. The in-house operations people to their credit recognized the problem with that scenario. Consultants may know their piece of technical pie, but implementing security might not be one of them.


Comments are closed.