Solved

subnetting and security/policy implementation

Posted on 2006-11-27
14
449 Views
Last Modified: 2013-11-13
Greetings,

I manage a network with 25 servers and approximately 50 internal clients.  Many of my client machines are used by contractors.  I would like to secure many areas of my network from different groups of users, restrict things like ftp and certain URL access, as well as have these clients use a PAT address rather than using one of my NAT addresses.

I am considering creating a subnet.  Is this the best alternative to achieve the above goals.  Should or could I simply use group policies to achieve the same goals.  What are the pro's and con's to my alternatives?

Regards,

Darren
0
Comment
Question by:darrennelson
  • 6
  • 4
  • 3
  • +1
14 Comments
 
LVL 5

Expert Comment

by:drawlin
ID: 18025703
If all of your servers and client workstations are on a LAN within the same network IP space, I would recommend using file permissions on the servers and putting the user accounts of the contractors into a security group with only the access they need to do their jobs.  If this is the case, you will still need to manage the workstations that they use, and placing them in a different network segment with "firewall" type rules will increase your administrative burden greatly.  

If I had more information on your configuration and your specific needs, I could better advise.
0
 
LVL 5

Expert Comment

by:WGhen
ID: 18027159
Hi,
We created a series of small VLANs in which we put our contractors that we call "Area 51".  It is actually several small VLANs (32 addresses) which allow us to put an access list in the router determining what they can get to.  Since in many cases they are building server apps, server permissions have to be admin.  The access list prevents access to unrelated servers.

WGhen
0
 
LVL 27

Expert Comment

by:pseudocyber
ID: 18027295
We're facing this same question - but with hundreds of servers, a thousand users, and about 30 vlans.  

It really depends on your network and your users and your servers.  If your special case is that you could isolate a couple of servers in a different vlan and give permissions to a subset of users and then use access control lists or firewalls to control access between those vlans then it might make sense for you.  However it would depend on knowing the IP's of everyone and that they don't move or change.

Basically, what you're looking at is called Network Access Control - and it can be pretty intimidating, expensive, and complex to setup.

If your network design would easily allow it - then is the risk worth the hassle/administrative overhead.  Perhaps not.
0
 
LVL 5

Expert Comment

by:WGhen
ID: 18027596
Just for the record, we have hundreds of servers also, and at least 100 vlans.  Area 51 VLANS do not use DHCP so IP addresses are known, port security on the switches prevents moving to any other jack etc.  Network access control is a better way to go, but is a huge undertaking and very expensive.

WGhen
0
 

Author Comment

by:darrennelson
ID: 18030844
My network is a mixed environment consisting of Server 2000 and 2003 boxes.  All of the clients are XP SP2, with the exception of a few 2000 or linux clients (these aren't really a concern).  For the most part, I am using file permissons to control access to everything.  The problem with this is that the 'everyone' group is used all over my network (done before I got here).  Whenever I try to remove this group, access issue crop up all over the place.  We have a gazillion MS SQL Server instances and quite a few SourceSafe databases running on our network that in one way or another crack when I pull the 'everyone' group from a directory.  Basically, the domain is a mess from a security standpoint, and without restructuring from the ground up, its a lost cause.  My main focus is "seperating" what I can get my hands around (the contractors workstations and their 2 servers) from the muck the permanent employees use.

Hardware wise, I have 3 Cisco 3500's and a Cisco 8 Port GIG feeding the main development servers.  All clients are on DHCP.  I have a development and a database server exclusively for the contractors.  I would like to limit their access to these two server and internet access without physically seperating them from the existing network.

Budget is another concern.  I can probably allocate one of the 3500's for this purpose, but probably won't get any additional funding.  The problem is I see the potential risk of proprietary information being accessible to contractors, but management won't value that until something negative happens.

I dont know much about VLAN's, but have seen the option for this in my switches interface.  I assume you have to use static IP's to pool specific machines into a VLAN.  What are the differences between VLANs and Subnets?
0
 
LVL 5

Expert Comment

by:drawlin
ID: 18033084
VLAN and subnet are similar in theroy.  VLAN is a layer 2 function of a switch that allows a switch to logically (phisically) seperate a group of ports from another group of ports.  Say you have a switch with 48 ports and want 8 of those ports to not be able to access the other 40 ports, you can create a VLAN.  Just keep in mind that you will need a layer 3 device to route traffic between the VLANs.  If the contractor's PC's and workstations don't need to access any servers on your LAN, you can create a VLAN and make their gateway to the Internet the firewall (providing you create a DMZ for your contractor network).  if your contractors need access to the mail server or DNS on your LAN, you com open those ports on your firewall.  
0
 
LVL 5

Expert Comment

by:WGhen
ID: 18035858
Hi,
A VLAN is composed of one or more subnets.
Your interior routing protocol (we use ospf) assignes layer 2 subnets to layer 3 VLANs.  A gateway for each subnet is added to the VLAN interface whether it is virtual or physical.
BTW, we hand out DHCP on some VLANs and not others.  The switch port is assigned to a VLAN.  We use the internal MSFC3 router in our Cat6513 switch for DHCP and it figures out which pool of address to hand out to a device based on what VLAN the the port is in.

WGhen
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 27

Expert Comment

by:pseudocyber
ID: 18040056
>A VLAN is composed of one or more subnets.

This is not correct.  Strictly speaking, VLANs have nothing to do with (IP) subnets.  VLANs are a layer 2 switching construct.  Subnets are a layer 3 IP construct.  VLANs are not required to run IP - they can run other layer 3 protocols such as IPX or Appletalk (argh!)

Layer 2 subnets?  Layer 3 vlans?
0
 
LVL 27

Expert Comment

by:pseudocyber
ID: 18040072
>>VLANs are not required to run IP - they can run other layer 3 protocols such as IPX or Appletalk (argh!)

Meaning that VLANs are layer 2 ethernet and several different layer 3 protocols can be encapsulated in the layer 2 frame.
0
 
LVL 5

Expert Comment

by:WGhen
ID: 18040139
Ok, bad explanation.  But in Cisco World a VLAN can consist of of several subnets as designated by the interior routing protocol..  And nobody's talking about IPX and Appletalk.

WGhen
0
 
LVL 27

Accepted Solution

by:
pseudocyber earned 100 total points
ID: 18040176
Ok.  To keep it simple, you could have a layer 3 switch with several vlans - each with its own IP subnet and an IP assigned to the VLAN itself.  Because they're all directly attached, no routing protocol needed.  

Therefore, simplistically, most people put a single subnet and accompanying IP address on a vlan interface.  Nothing else needed.

>>And nobody's talking about IPX and Appletalk.

Hence the, "argh!" ;)
0
 
LVL 5

Assisted Solution

by:WGhen
WGhen earned 75 total points
ID: 18040393
Pseudocyber is correct that no routing protocol would be required for the simple setup he describes.  And going back to the original post, you could then place access lists on the router interfaces to permit and deny as desired.  You do not need to dedicate a switch to your contractors.  Just place them on a seperate vlan and put in the access list for that vlan/subnet.

WGhen
0
 
LVL 5

Assisted Solution

by:drawlin
drawlin earned 75 total points
ID: 18040971
Like I mentioned in my original post, a VLAN is a layer 2 function of a switch.  Let's say you have $15,000 128 port Cisco 6550 in your wiring closet right next to a patch pannel where all of your wall drops terminate.  Adding another switch to physically seperate your contractors from the rest of your network would not seem reasonable.  So you can create two VLANs.  One for your trusted users and one for your contractors.  This will, in effect be the same as having two seperate switches.  For ease of administration, and to maintain the seperation of the two (V)LANs, you would most likely want to assign different IP subnets to each of them.  The reason I say this, is because at some point the two seperate (V)LANs are going to share the same wire.  (presumabley your T1/DSL/Cable connection to the Internet, or your contractors accessing your mail server)  Since I am not aware of a Layer 2 or 3 switch that will filter TCP/IP traffic by ports, the junction point should be your firewall.

A note on VLAN.  VLAN can be very versital.  Let's say your contractors have laptops and sometimes they plug into walljack D23 and other times they plug into the walljack in the conference room, D58.  You could make a list of all your contractor's NIC MAC addresses.  Most good switches can be configured to assign a port to a VLAN based on the MAC address connected to it, or you could create a DHCP reservation by MAC address and the switch will assign a port to a VLAN based on the IP.  That would make sure that a contractor couldn't just plug into an unused jack to access your trusted LAN.
0
 
LVL 5

Expert Comment

by:WGhen
ID: 18042165
>>> Layer 2 subnets?  Layer 3 vlans?
Was just reading "Configuring Logical Layer 3 VLAN Interfaces" on the Cisco site.  Interesting.
WGhen
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
discontiguous network and EIGRP 12 43
NSD FAIL 2 25
catalyst 6500 - recover from corrupted IOS 4 42
server plus 2 47
What’s a web proxy server? A proxy server is a server that goes between clients and web servers, used in corporate to enforce corporate browsing policy and ensure security. Proxy servers are commonly used in three modes. A)    Forward proxy …
In this article we will discuss some EI Capitan Mail app issues and provide some manual process to resolve them.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now