Using VLANs as security barriers

I have come across a number of discussions of the above topic on various online forums and wondered if I could get some "Firewall.cx" input on this.

Obviously, VLANs are most commonly used to partition internal networks, but what I'm getting at is the practice of using VLANs to separate internal networks from internet facing ones, thus moving the point of weakness from the firewall to the switch.

This article contains some interesting thoughts on the subject.

So what so you guys think? Good idea or bad idea?

The 'VLAN' Partitioning concept is usually applied within the local network area, but also seems to be found lately on the public side of companies networks.

While VLAN Hopping and other techniques used to gain unauthorised access, are stopped at the switch level (Cisco), it still remains a big risk, especially if you decide to place the switch on both private and public networks!

My personal opinion is that you can (and should) use VLANs in your private and public networks, but ensure you keep them separate from each other. In other words, if a switch will contain one public VLAN, then no private VLANs or networks should be placed on it.

This will help minimise the risk and potential attacks that might at some point find their way into your network can cause problems that will have you running to keep your job

Cheers,

In other words, if a switch will contain one public VLAN, then no private VLANs or networks should be placed on it.

I think that's the key point, Chris.