?
Solved

Networking, subnet and security

Posted on 2012-09-20
3
Medium Priority
?
455 Views
Last Modified: 2012-09-21
On another thread, I proposed the following thread:

Subnet 1

   Network:   10.14.101.104/29    
   Hosts:     10.14.101.105 - 10.14.101.110  
   Broadcast: 10.14.101.111 

   I assigned the following nodes to this subnet

      10.14.101.105
      10.14.101.108
      10.14.101.110

Subnet 2

   Network:   10.14.101.112/29   
   Hosts:     10.14.101.113 - 10.14.101.118        
   Broadcast: 10.14.101.119  

   I assigned the following nodes to this subnet

      10.14.101.113
      10.14.101.114
      10.14.101.115

Open in new window


One of the reponses I received from this proposal was:

It's not a solution that will provide any security in the sense that it will prevent a node in one subnet from reaching a node in another.  
You could ask about that..... 

Open in new window


How can I provide security to prevent a node in one subnet fromreaching a node in another subnet ?
0
Comment
Question by:Los Angeles1
3 Comments
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 2000 total points
ID: 38420893
If the subnets share the same broadcast domain (= the entire inter-connected layer-2 network, e.g by HUBs or Layer-2 switches) then it's possible to "sniff" the network traffic between nodes for an appropriately equipped (software) and configured (promiscuous mode NIC) machine.

Monitoring network traffic in promiscuous mode is only possible inside the same broadcast domain, so that layer-3 switches can effectively inhibit sniffing across subnets by isolating broadcast domains (if so configured).

Another means of network isolation is VLAN technology. A VLAN is by design a separate broadcast domain.

All the above does not imply that your nodes are able to communicate across subnets using "normal" TCP/IP methods!

Here is more about broadcast domains:
http://en.wikipedia.org/wiki/Broadcast_domain
http://ciscoskills.net/2011/03/30/collision-domains-vs-broadcast-domains/


wmp
0
 
LVL 7

Expert Comment

by:djStraTTos
ID: 38420896
Good day,

You either can use VLAN's or create rules on your firewall to deny bidirectional traffic between those two subnets.
0
 
LVL 5

Expert Comment

by:Gareth Tomlinson CISSP
ID: 38421032
Create VLANs for each subnet group, then apply an access control list to each VLAN interface to control the traffic. The VLAN interface MUST be the the default gateway for the subnet group for this to work properly.
Remember that if you want internet access the ACL must be configured to DENY the specific traffic to another subnet, then a final statement of ALLOW ALL will ensure internet connectivity still functions.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have been running these systems for a few years now and I am just very happy with them.   I just wanted to share the manual that I have created for upgrades and other things.  Oooh yes! FreeBSD makes me happy (as a server), no maintenance and I al…
Introduction Regular patching is part of a system administrator's tasks. However, many patches require that the system be in single-user mode before they can be installed. A cluster patch in particular can take quite a while to apply if the machine…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.
Suggested Courses
Course of the Month16 days, 6 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question