Educause Security Discussion mailing list archives
(Fwd) Network architecture/security question
From: "H. David Todd" <HDTodd () SANDIEGO EDU>
Date: Wed, 28 May 2003 07:08:20 -0700
Dear Colleagues, Mark Bruhn saw this note from me on the CIO list and suggested that I cross-post it to the Security list -- sorry for the duplication for those of you who are on both lists. We are considering ways to increase the network security of most of our desktop systems on campus. In addition to some work on anti-virus and anti-spam systems, we're considering ways to reduce hacking of our campus system. Few of our clients on campus need for their workstations to be accessible from off campus, and we're looking to exploit that fact to increase security. [One strong motivation for focused attention on this is the running battle we've been having with international hackers who want to use our PCs and bandwidth for video & music distribution. Few of our PCs need to be accessible to connections initiated from outside campus in order to serve their functions, but our clients on campus are oblivious to vulnerabilities they might introduce when tinkering with their systems. We need a systematic way of protecting them by default, unless they specifically need to serve external connections.] Our idea at this point is to build three campus LANs using VLAN technology. The secure host VLAN would be NATed with a private domain: no external connections could come in that weren't initiated by an internal host. The secure server VLAN would use IPs in the publicly routable range, but the firewall would limit access from outside the campus to just specific ports on campus servers ... port 80 if it's a Web server, etc. The unsecured host VLAN would use public, routable IPs with only a few rules applied through the firewall as to what can come in from outside. All would go through a firewall. Hosts on the unsecured VLAN would be subjected to the same firewall restrictions as any other external host with regard to access to hosts on the secured VLAN -- even though the two hosts might be in the same room. Now, this *might* work for us because we're a teaching institution rather than research institution. We have few hosts that need or want to be accessed from outside campus. Those that do would be moved to the secured server or unsecured host VLAN. By default, faculty, staff, and public-lab PCs would go on the secured host VLAN. Faculty and staff would simply request to have their VLAN changed should they want to enable external access. But this architecture seems like a really obvious solution to a problem lots of schools have, and it doesn't seem to be in common use. So I think we've missed something in our analysis. So here's the question: What's wrong with this approach? What have we missed? Why isn't this a common solution? Are there performance issue we'll have to monitor? Are there better ways to accomplish the same goals? Thanks in advance for thinking about this and for any advice you can offer. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
Current thread:
- (Fwd) Network architecture/security question H. David Todd (May 28)