Networking, subnet and security

Posted on 2012-09-20
Last Modified: 2012-09-21
On another thread, I proposed the following thread:

Subnet 1

   Hosts: -  

   I assigned the following nodes to this subnet

Subnet 2

   Hosts: -        

   I assigned the following nodes to this subnet

Open in new window

One of the reponses I received from this proposal was:

It's not a solution that will provide any security in the sense that it will prevent a node in one subnet from reaching a node in another.  
You could ask about that..... 

Open in new window

How can I provide security to prevent a node in one subnet fromreaching a node in another subnet ?
Question by:Los Angeles1
    LVL 68

    Accepted Solution

    If the subnets share the same broadcast domain (= the entire inter-connected layer-2 network, e.g by HUBs or Layer-2 switches) then it's possible to "sniff" the network traffic between nodes for an appropriately equipped (software) and configured (promiscuous mode NIC) machine.

    Monitoring network traffic in promiscuous mode is only possible inside the same broadcast domain, so that layer-3 switches can effectively inhibit sniffing across subnets by isolating broadcast domains (if so configured).

    Another means of network isolation is VLAN technology. A VLAN is by design a separate broadcast domain.

    All the above does not imply that your nodes are able to communicate across subnets using "normal" TCP/IP methods!

    Here is more about broadcast domains:

    LVL 7

    Expert Comment

    Good day,

    You either can use VLAN's or create rules on your firewall to deny bidirectional traffic between those two subnets.
    LVL 5

    Expert Comment

    by:Gareth Tomlinson CISSP
    Create VLANs for each subnet group, then apply an access control list to each VLAN interface to control the traffic. The VLAN interface MUST be the the default gateway for the subnet group for this to work properly.
    Remember that if you want internet access the ACL must be configured to DENY the specific traffic to another subnet, then a final statement of ALLOW ALL will ensure internet connectivity still functions.

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Join & Write a Comment

    Let's say you need to move the data of a file system from one partition to another. This generally involves dismounting the file system, backing it up to tapes, and restoring it to a new partition. You may also copy the file system from one place to…
    Introduction Regular patching is part of a system administrator's tasks. However, many patches require that the system be in single-user mode before they can be installed. A cluster patch in particular can take quite a while to apply if the machine…
    This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.
    In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now