Solved

securing servers from internal network

Posted on 2006-11-23
4
253 Views
Last Modified: 2013-12-04
1. i am having cisco 6509, 4506  and some other switches
in the network. i want to prevent my servers from the internal
network there are nearly 20 servers.
let me be clear.  i have 2 DC  and rest are web servers
with 600 clients and all are in same ip range. what i want
is if my clients want to access the servers they shouldnot
be able to access the servers. which is the better way
to protect. i am thinking of enabling VLAN between the servers and clients by enabling only required ports for dns,http, and others does this work or which is the better way .

2. i also have some l2 switches some are managable and some are not how do i block the ports on unmanagable switches.

3. i am having vulnerabilit check from outsided persons which would be the better way
0
Comment
Question by:kvkvamsi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 23

Accepted Solution

by:
Tim Holman earned 75 total points
ID: 18014502
1)  Use the inbuilt firewalling features of the switches.  A firewall is what you need here - that way you can lock down ports that you don't want users to access
2)  You can't lock down ports on unmanaged switches
3)  Vulnerability checks, as well as firewalls, are only small layers of overall security - you need to address this holistically and look at other things like physical access and also security policies and procedures.
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 75 total points
ID: 18014558
I'm not sure why you want to prevent internal users from accessing servers. After all, the primary function of a server is to serve up data to the clients. DC's need to be accessible from clients to controll network and resource access, manage user accounts, etc. Just be careful what you ask for and carefully plan out which ports are needed.

Given that you have a 6509 as the core switch, it is probably (depending on the supervisor model) fully capable of using Vlan ACLS (VACLS) to control traffic between vlans using access-lists. This is probably the simplest approach to segregating servers from clients. You could also install a Firewall services blade in the 6509 and have true firewall inspection capabilities between the vlans.

You have to carefully plan out your vlans in order to use the unmanaged L2 switches. Since they are most likely end user connections, just the uplink to that switch needs to be in access mode not trunk mode, in the correct user vlan.

Like Tim said above, unmanaged switches mean that you have no facilities on the switch itself to block traffic on specific ports, assign vlans, or anything else. They are just dumb connectivity bricks.

A vulnerability check is a good first step. A complete "defense in depth" strategy to include written polices and procedures is absolutely required. See Cisco's SAFE blueprints for good overall strategy http://www.cisco.com/go/safe
See SANS Institute for help on policies http://www.sans.org/resources/policies/

My humble $0.02
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question