Educause Security Discussion mailing list archives
Re: Private Vlans
From: "Everett, Alex D" <alex.everett () UNC EDU>
Date: Thu, 28 Jul 2011 17:30:38 +0000
Dennis: Can you clarify what you mean when you say that it cannot communicate with other machines on the segment? What would you use the vlan for? Administration or as their only interface for some service? We use RFC1918 space in different situations. However, often we route those subnets throughout our infrastructure. And, any machine on that VLAN can communicate directly to any other in that VLAN in general. For systems behind our firewalls, we strongly suggest they dont choose RFC1918 space. We basically state that we will not support NAT, and that if they choose private address space they have to live with it. There is also a much smaller segment of devices for which there is no gateway for the private subnet, and they can only communicate with each other. Generally this is created due to specific needs and security controls. Sincerely, Alex Everett, CISSP, CCNA University of North Carolina 919.445.9393 On Jul 28, 2011, at 1:01 PM, Dennis Bohn wrote: We are in a position to make a few changes on our network, and are kicking around the idea of private vlans on our server segments. Our thoughts so far are: Advantages: Prevent a compromised machine from nmapping the segment. Make it harder (but not impossible) for the compromised machine to communicate with other machines on the segment. The idea of servers being isolated, and only able to communicate with the gateway is attractive. Disadvantages: Time/energy to configure Time/energy to maintain: no matter how much the server admin swears that server A will never ever ever need to communicate with Server B, .... that day will come! It seems like the permutations of necessary server-to-server communication could be prohibitive. Has anyone tried this and are there any lessons learned that you would like to share? TIA, Dennis Bohn Manager of Network and Systems Adelphi University bohn () adelphi edu<mailto:bohn () adelphi edu> 5168773327 Sincerely, Alex Everett, CISSP, CCNA Information Security Office University of North Carolina at Chapel Hill 919.445.9393
Current thread:
- Private Vlans Dennis Bohn (Jul 28)
- Re: Private Vlans Everett, Alex D (Jul 28)
- Re: Private Vlans Jeff Kell (Jul 28)
- Re: Private Vlans Flynn, Gary - flynngn (Jul 28)
- Re: Private Vlans Everett, Alex D (Jul 28)
- Re: Private Vlans Rich Graves (Jul 29)
- Re: Private Vlans Everett, Alex D (Jul 28)
- Re: Private Vlans Russ Leathe (Jul 29)
- University e-mail addresses dumped to pastebin Justin C. Klein Keane (Aug 02)
- Re: University e-mail addresses dumped to pastebin Vincent Ohprecio (Aug 02)
- University e-mail addresses dumped to pastebin Justin C. Klein Keane (Aug 02)