Solved

securing servers from internal network

Posted on 2006-11-23
4
249 Views
Last Modified: 2013-12-04
1. i am having cisco 6509, 4506  and some other switches
in the network. i want to prevent my servers from the internal
network there are nearly 20 servers.
let me be clear.  i have 2 DC  and rest are web servers
with 600 clients and all are in same ip range. what i want
is if my clients want to access the servers they shouldnot
be able to access the servers. which is the better way
to protect. i am thinking of enabling VLAN between the servers and clients by enabling only required ports for dns,http, and others does this work or which is the better way .

2. i also have some l2 switches some are managable and some are not how do i block the ports on unmanagable switches.

3. i am having vulnerabilit check from outsided persons which would be the better way
0
Comment
Question by:kvkvamsi
4 Comments
 
LVL 23

Accepted Solution

by:
Tim Holman earned 75 total points
ID: 18014502
1)  Use the inbuilt firewalling features of the switches.  A firewall is what you need here - that way you can lock down ports that you don't want users to access
2)  You can't lock down ports on unmanaged switches
3)  Vulnerability checks, as well as firewalls, are only small layers of overall security - you need to address this holistically and look at other things like physical access and also security policies and procedures.
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 75 total points
ID: 18014558
I'm not sure why you want to prevent internal users from accessing servers. After all, the primary function of a server is to serve up data to the clients. DC's need to be accessible from clients to controll network and resource access, manage user accounts, etc. Just be careful what you ask for and carefully plan out which ports are needed.

Given that you have a 6509 as the core switch, it is probably (depending on the supervisor model) fully capable of using Vlan ACLS (VACLS) to control traffic between vlans using access-lists. This is probably the simplest approach to segregating servers from clients. You could also install a Firewall services blade in the 6509 and have true firewall inspection capabilities between the vlans.

You have to carefully plan out your vlans in order to use the unmanaged L2 switches. Since they are most likely end user connections, just the uplink to that switch needs to be in access mode not trunk mode, in the correct user vlan.

Like Tim said above, unmanaged switches mean that you have no facilities on the switch itself to block traffic on specific ports, assign vlans, or anything else. They are just dumb connectivity bricks.

A vulnerability check is a good first step. A complete "defense in depth" strategy to include written polices and procedures is absolutely required. See Cisco's SAFE blueprints for good overall strategy http://www.cisco.com/go/safe
See SANS Institute for help on policies http://www.sans.org/resources/policies/

My humble $0.02
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
A short film showing how OnPage and Connectwise integration works.
Concerto provides fully managed cloud services and the expertise to provide an easy and reliable route to the cloud. Our best-in-class solutions help you address the toughest IT challenges, find new efficiencies and deliver the best application expe…

930 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now