Solved

securing servers from internal network

Posted on 2006-11-23
4
260 Views
Last Modified: 2013-12-04
1. i am having cisco 6509, 4506  and some other switches
in the network. i want to prevent my servers from the internal
network there are nearly 20 servers.
let me be clear.  i have 2 DC  and rest are web servers
with 600 clients and all are in same ip range. what i want
is if my clients want to access the servers they shouldnot
be able to access the servers. which is the better way
to protect. i am thinking of enabling VLAN between the servers and clients by enabling only required ports for dns,http, and others does this work or which is the better way .

2. i also have some l2 switches some are managable and some are not how do i block the ports on unmanagable switches.

3. i am having vulnerabilit check from outsided persons which would be the better way
0
Comment
Question by:kvkvamsi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 23

Accepted Solution

by:
Tim Holman earned 75 total points
ID: 18014502
1)  Use the inbuilt firewalling features of the switches.  A firewall is what you need here - that way you can lock down ports that you don't want users to access
2)  You can't lock down ports on unmanaged switches
3)  Vulnerability checks, as well as firewalls, are only small layers of overall security - you need to address this holistically and look at other things like physical access and also security policies and procedures.
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 75 total points
ID: 18014558
I'm not sure why you want to prevent internal users from accessing servers. After all, the primary function of a server is to serve up data to the clients. DC's need to be accessible from clients to controll network and resource access, manage user accounts, etc. Just be careful what you ask for and carefully plan out which ports are needed.

Given that you have a 6509 as the core switch, it is probably (depending on the supervisor model) fully capable of using Vlan ACLS (VACLS) to control traffic between vlans using access-lists. This is probably the simplest approach to segregating servers from clients. You could also install a Firewall services blade in the 6509 and have true firewall inspection capabilities between the vlans.

You have to carefully plan out your vlans in order to use the unmanaged L2 switches. Since they are most likely end user connections, just the uplink to that switch needs to be in access mode not trunk mode, in the correct user vlan.

Like Tim said above, unmanaged switches mean that you have no facilities on the switch itself to block traffic on specific ports, assign vlans, or anything else. They are just dumb connectivity bricks.

A vulnerability check is a good first step. A complete "defense in depth" strategy to include written polices and procedures is absolutely required. See Cisco's SAFE blueprints for good overall strategy http://www.cisco.com/go/safe
See SANS Institute for help on policies http://www.sans.org/resources/policies/

My humble $0.02
0

Featured Post

Get Actionable Data from Your Monitoring Solution

Your communication platform is only as good as the relevance of the information you send. Ensure your alerts get to the right people every time with actionable responses. Create escalation rules that ensure everyone follows the process and nothing is left to chance.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question