Educause Security Discussion mailing list archives
Re: How do you implement VLAN segmentation in your buildings?
From: David Gillett <gillettdavid () FHDA EDU>
Date: Wed, 9 May 2007 09:26:49 -0700
If you're using NAC anyway, why not also implement 802.1X? So do 1 or 2, but the maintenance issue is part of your back-end identity management rather than your network device configuration. (Arguably, that's where it should have been all along. When a user changes status, modifying their network access should be integrated with revoking system access no longer appropriate and/or granting access appropriate to their new status.) FWIW: Until we get more of our equipment upgraded to support 802.1X (bond measure passed but awaiting adjudication of legal challenges) and get our IDM built (supposed to go live by August), we're doing 1. And the maintenance issue isn't nearly so bad as you fear, since jacks in labs stay in labs and jacks in offices stay in offices even if the occupant changes -- unless your security levels are incredibly granular, it's pretty static, more than 2 would be. Option 3 means that you punt all security to the end hosts. That will probably work for most staff machines, but I'm leery of making it my only line of defence when it comes to personal and student machines, and legacy devices may need special handling. Option 4 is part and parcel, I think, with distributing routing and DHCP as well, so (IMHO) troubleshooting just got an order of magnitude more complicated. Oh, and like 3, you've removed the option for VLANs and ACLs to contribute to security, and must rely entirely on other mechanisms.... David Gillett
-----Original Message----- From: Tristan RHODES [mailto:tristanrhodes () WEBER EDU] Sent: Wednesday, May 09, 2007 8:56 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] How do you implement VLAN segmentation in your buildings? Greetings, We are discussing various ways to segment traffic using VLANS. How are other universities doing this? We have a pair of layer-3 switches in most buildings that serve as the distribution layer. The question is, how many networks do you create for a building? Do you: 1) Segment based on security level? (guest/kiosks, students/labs, faculty/staff, facility management, network management) 2) Segment based on department/college? (accounting, finance, human resources) 3) Segment based on location? (first floor, second floor, third floor) 4) Or do you follow Cisco best practices which promote the idea of one unique vlan/network for every switch? I do not like the high-level of maintenance in models 1 and 2. For example, when people move or if their roles change how will we be notified so that we can change their VLAN? I prefer the location based segmentation due to its simplicity. To provide security segmentation, something like NAC + Mcafee EPO can be used to enforce firewall policies on end-hosts. Thanks for your input. Tristan Rhodes
Current thread:
- How do you implement VLAN segmentation in your buildings? Tristan RHODES (May 09)
- <Possible follow-ups>
- Re: How do you implement VLAN segmentation in your buildings? Julian Y. Koh (May 09)
- Re: How do you implement VLAN segmentation in your buildings? David Gillett (May 09)
- Re: How do you implement VLAN segmentation in your buildings? Cal Frye (May 09)
- Re: How do you implement VLAN segmentation in your buildings? Lee Weers (May 09)
- Re: How do you implement VLAN segmentation in your buildings? Br. Kenneth Arnold (May 09)
- Re: How do you implement VLAN segmentation in your buildings? Bruce Curtis (May 09)
- Re: How do you implement VLAN segmentation in your buildings? Rob Whalen (May 09)
- Re: How do you implement VLAN segmentation in your buildings? Bruce Curtis (May 10)
- Re: How do you implement VLAN segmentation in your buildings? John Hoffoss (May 16)
- Re: How do you implement VLAN segmentation in your buildings? Cal Frye (May 16)