Apple 10.6 manual VLANs, MAC Filtering

This allows an organization to provide services to the external network while protecting the internal network from being compromised by a host in the DMZ. If someone compromises a DMZ host, he or she cannot connect to the internal network.

The DMZ is often used to connect servers that need to be accessible from the external network or Internet, such as mail, web, and DNS servers.

Connections from the external network to the DMZ are often controlled using firewalls and address translation.

You can create a DMZ by configuring your firewall. Each network is connected to a different port on the firewall, called a three-legged firewall setup. This is simple to implement but creates a single point of failure.

Another approach is to use two firewalls with the DMZ in the middle, connected to both firewalls, and with one firewall connected to the internal network and the other to the external network. This is called a screened-subnet firewall.

This setup provides protection in case of firewall misconfiguration, allowing access from the external network to the internal network.

VLANs

Mac OS X Server provides 802.1q Virtual Local Area Network (VLAN) support on the Ethernet ports and secondary PCI gigabit Ethernet cards available or included with Xserves.

VLAN allows multiple computers on different physical LANs to communicate with each other as if they were on the same LAN. Benefits include more efficient network bandwidth utilization and greater security, because broadcast or multicast traffic is only sent to computers on the common network segment. Xserve VLAN support conforms to the IEEE 802.1q standard.

MAC Filtering

MAC filtering (or layer 2 address filtering) refers to a security access control where a network interface’s MAC address, or Ethernet address (the 42-bit address assigned to each network interface), is used to determine access to the network.

MAC addresses are unique to each card, so using MAC filtering on a network permits and denies network access to specific devices, rather than to specific users or network traffic types. Individual users are not identified by a MAC address, only a device, so an authorized person must have an allowed list of devices that he or she would use to access the network.