Are VLANs safe in DMZ environment?
The Thinking problem management! blog had an interesting article on The Leaky VLANs myth, quoting a test report from SANS Institute that documents how you can inject frames into other VLANs even if you're not connected to a trunk port. The report is eight years old (so one would hope this issue has been fixed in the meantime), but there's another question you should ask yourself is: what happens when you lose the configuration of the switch (and I've seen devices losing configuration after a power glitch). If you're using a router to perform L3 switching, no harm is done; a router with empty configuration forwards no packets. But if you're using a low-end switch, you're in deep trouble; by default, a switch forwards packets between all ports ... and if you use static IP addresses on all subnets, you won't even notice they're connected. If you want to be very safe, you're better off having a different set of switches for the inside and the outside zones of your firewall.
As you mentioned though, this is 8 years ago. Most switches have evolved to the point where backplanes far exceed the traffic that could ever be injected into their switchports.
Even beyond backplane enhancements there are many ways to further firm up your security stance - Virtual Device Contexts, Not using Layer 3 SVI's on a DMZ VLAN, utilizing PVLANs, using port security, and many more.
I think the real question is not "are VLANs safe in a DMZ" I think the question is have you mitigated the risk of compromise to levels that are acceptable to your business. This question remains whether you have a standalone switch or not.
--Colin
Though a lot of effort was often put in to separating zones and DMZs, through the use of dedicated and separated switches. I often thought it was a bit of a waste of effort, as often the WAN and Internet service were separated by the Telco/Service Provider by nothing more than a Virtual CCT or VLAN etc.. ie both types of traffic were delivered over the same physical connection.
The times I have pointed this out to the security "architects" they could not see or understand my point. It was there belief that the Telco would never make mistakes or incorrectly configure the service securely. It still cracks me up.
It is my opinion that as long as you use the full suite of tools available to you (as mentioned by the previous comment) and you pro-actively monitor and manage the infrastructure, then VLANs are OK.
Ivan, I don´t agree with your analysis of a switch wipe being a justifiable reason:
* A DMZ would not be a single switch install as it would be aggregated over at least two switches for resilience. It is not possible to have one of switch fail and not know about it.
* The assumption with a switch failure as you described would mean no management or monitoring. Such a crime, in my opinion, would be a mandatory removal of the responsible engineer´s Cisco cert.
* Good practice would be to have multiple DMZs. As a minimum at least two to separate processing and data. Since the DMZ connections are via a firewall, the only method to enable this configuration is via dot1q. If the firewall was using dot1q the scenario as described would not be possible.