?
Solved

securing servers from internal network

Posted on 2006-11-23
4
Medium Priority
?
265 Views
Last Modified: 2013-12-04
1. i am having cisco 6509, 4506  and some other switches
in the network. i want to prevent my servers from the internal
network there are nearly 20 servers.
let me be clear.  i have 2 DC  and rest are web servers
with 600 clients and all are in same ip range. what i want
is if my clients want to access the servers they shouldnot
be able to access the servers. which is the better way
to protect. i am thinking of enabling VLAN between the servers and clients by enabling only required ports for dns,http, and others does this work or which is the better way .

2. i also have some l2 switches some are managable and some are not how do i block the ports on unmanagable switches.

3. i am having vulnerabilit check from outsided persons which would be the better way
0
Comment
Question by:kvkvamsi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 23

Accepted Solution

by:
Tim Holman earned 300 total points
ID: 18014502
1)  Use the inbuilt firewalling features of the switches.  A firewall is what you need here - that way you can lock down ports that you don't want users to access
2)  You can't lock down ports on unmanaged switches
3)  Vulnerability checks, as well as firewalls, are only small layers of overall security - you need to address this holistically and look at other things like physical access and also security policies and procedures.
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 300 total points
ID: 18014558
I'm not sure why you want to prevent internal users from accessing servers. After all, the primary function of a server is to serve up data to the clients. DC's need to be accessible from clients to controll network and resource access, manage user accounts, etc. Just be careful what you ask for and carefully plan out which ports are needed.

Given that you have a 6509 as the core switch, it is probably (depending on the supervisor model) fully capable of using Vlan ACLS (VACLS) to control traffic between vlans using access-lists. This is probably the simplest approach to segregating servers from clients. You could also install a Firewall services blade in the 6509 and have true firewall inspection capabilities between the vlans.

You have to carefully plan out your vlans in order to use the unmanaged L2 switches. Since they are most likely end user connections, just the uplink to that switch needs to be in access mode not trunk mode, in the correct user vlan.

Like Tim said above, unmanaged switches mean that you have no facilities on the switch itself to block traffic on specific ports, assign vlans, or anything else. They are just dumb connectivity bricks.

A vulnerability check is a good first step. A complete "defense in depth" strategy to include written polices and procedures is absolutely required. See Cisco's SAFE blueprints for good overall strategy http://www.cisco.com/go/safe
See SANS Institute for help on policies http://www.sans.org/resources/policies/

My humble $0.02
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Suggested Courses
Course of the Month9 days, 19 hours left to enroll

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question