• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 274
  • Last Modified:

securing servers from internal network

1. i am having cisco 6509, 4506  and some other switches
in the network. i want to prevent my servers from the internal
network there are nearly 20 servers.
let me be clear.  i have 2 DC  and rest are web servers
with 600 clients and all are in same ip range. what i want
is if my clients want to access the servers they shouldnot
be able to access the servers. which is the better way
to protect. i am thinking of enabling VLAN between the servers and clients by enabling only required ports for dns,http, and others does this work or which is the better way .

2. i also have some l2 switches some are managable and some are not how do i block the ports on unmanagable switches.

3. i am having vulnerabilit check from outsided persons which would be the better way
2 Solutions
Tim HolmanCommented:
1)  Use the inbuilt firewalling features of the switches.  A firewall is what you need here - that way you can lock down ports that you don't want users to access
2)  You can't lock down ports on unmanaged switches
3)  Vulnerability checks, as well as firewalls, are only small layers of overall security - you need to address this holistically and look at other things like physical access and also security policies and procedures.
I'm not sure why you want to prevent internal users from accessing servers. After all, the primary function of a server is to serve up data to the clients. DC's need to be accessible from clients to controll network and resource access, manage user accounts, etc. Just be careful what you ask for and carefully plan out which ports are needed.

Given that you have a 6509 as the core switch, it is probably (depending on the supervisor model) fully capable of using Vlan ACLS (VACLS) to control traffic between vlans using access-lists. This is probably the simplest approach to segregating servers from clients. You could also install a Firewall services blade in the 6509 and have true firewall inspection capabilities between the vlans.

You have to carefully plan out your vlans in order to use the unmanaged L2 switches. Since they are most likely end user connections, just the uplink to that switch needs to be in access mode not trunk mode, in the correct user vlan.

Like Tim said above, unmanaged switches mean that you have no facilities on the switch itself to block traffic on specific ports, assign vlans, or anything else. They are just dumb connectivity bricks.

A vulnerability check is a good first step. A complete "defense in depth" strategy to include written polices and procedures is absolutely required. See Cisco's SAFE blueprints for good overall strategy http://www.cisco.com/go/safe
See SANS Institute for help on policies http://www.sans.org/resources/policies/

My humble $0.02
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Managed Security Services Webinar - March 15

Selecting the right managed security services platform to grow your business can be a huge undertaking. Join WatchGuard and Frost & Sullivan in an upcoming webinar as we dive into the key elements of selecting a vendor platform and partnership to fuel a successful MSSP business.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now