Friday, July 18, 2008


The PVLAN concept allows you to design a VLAN where the peers can communicate only with one (or more) specific peer, instead of full "n to n' connectivity.Now, why I'm not seeing people using that to deploy more secure DMZs (or simply zones)? I mean, if you'll place a web server, a SMTP server and a DNS server on your DMZ, why should they be able to talk to each other (assuming they don't have an specific need to do that)? If you do that, even with you web server compromised you still have the access restrictions from your firewall in place to protect the others, avoiding the old problem of stepping stones.Is there anybody out there that is doing that?