Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

(Fwd) Network architecture/security question

From: "H. David Todd" <HDTodd () SANDIEGO EDU>
Date: Wed, 28 May 2003 07:08:20 -0700
Dear Colleagues,

        Mark Bruhn saw this note from me on the CIO list and
suggested that I cross-post it to the Security list --
sorry for the duplication for those of you who are on both
lists.

        We are considering ways to increase the network security
of most of our desktop systems on campus.  In addition to
some work on anti-virus and anti-spam systems, we're
considering ways to reduce hacking of our campus system.
Few of our clients on campus need for their workstations to
be accessible from off campus, and we're looking to exploit
that fact to increase security.

        [One strong motivation for focused attention on this is
the running battle we've been having with international
hackers who want to use our PCs and bandwidth for video &
music distribution.  Few of our PCs need to be accessible
to connections initiated from outside campus in order to
serve their functions, but our clients on campus are
oblivious to vulnerabilities they might introduce when
tinkering with their systems.  We need a systematic way of
protecting them by default, unless they specifically need
to serve external connections.]

        Our idea at this point is to build three campus LANs using
VLAN technology.  The secure host VLAN would be NATed with
a private domain: no external connections could come in
that weren't initiated by an internal host.  The secure
server VLAN would use IPs in the publicly routable range,
but the firewall would limit access from outside the campus
to just specific ports on campus servers ... port 80 if
it's a Web server, etc.  The  unsecured  host VLAN would
use public, routable IPs with only a few rules applied
through the firewall as to what can come in from outside.
All would go through a firewall.  Hosts on the unsecured
VLAN would be subjected to the same firewall restrictions
as any other external host with regard to access to hosts
on the secured VLAN -- even though the two hosts might be
in the same room.

        Now, this *might* work for us because we're a teaching
institution rather than research institution.  We have few
hosts that need or want to be accessed from outside campus.
Those that do would be moved to the secured server or
unsecured host VLAN.  By default, faculty, staff, and
public-lab PCs would go on the secured host VLAN.  Faculty
and staff would simply request to have their VLAN changed
should they want to enable external access.

        But this architecture seems like a really obvious solution
to a problem lots of schools have, and it doesn't seem to
be in common use.  So I think we've missed something in our
analysis.

        So here's the question: What's wrong with this approach?
What have we missed?  Why isn't this a common solution?
Are there performance issue we'll have to monitor?  Are
there better ways to accomplish the same goals?

        Thanks in advance for thinking about this and for any
advice you can offer.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.
Previous By Date Next
Previous By Thread Next

Current thread: