Educause Security Discussion mailing list archives
Re: Private Vlans
From: Jeff Kell <jeff-kell () UTC EDU>
Date: Thu, 28 Jul 2011 14:01:17 -0400
On 7/28/2011 1:01 PM, Dennis Bohn wrote:
We are in a position to make a few changes on our network, and are kicking around the idea of private vlans on our server segments.
Depending on how many things you "do" need to talk to, you may have a sizeable number of "trusted" doors anyway. We haven't done this at a server level. We do however have separate vlans for various applications, and several server VRFs to isolate related application groups. That allows relatively granular access controls without isolating each and every individual server, and reduces the "broadcast domain" (snooping ability) of a given compromised server. There was the old Tootsie-Pop security model (hard and crunchy perimeter, but soft and chewy inside). Then there was the Onion security model (layers). Now it's the Garlic model (multiple cloves of isolated functionality sharing a common stem of infrastructure). Jeff :)
Current thread:
- Private Vlans Dennis Bohn (Jul 28)
- Re: Private Vlans Everett, Alex D (Jul 28)
- Re: Private Vlans Jeff Kell (Jul 28)
- Re: Private Vlans Flynn, Gary - flynngn (Jul 28)
- Re: Private Vlans Everett, Alex D (Jul 28)
- Re: Private Vlans Rich Graves (Jul 29)
- Re: Private Vlans Everett, Alex D (Jul 28)
- Re: Private Vlans Russ Leathe (Jul 29)
- University e-mail addresses dumped to pastebin Justin C. Klein Keane (Aug 02)
- Re: University e-mail addresses dumped to pastebin Vincent Ohprecio (Aug 02)
- University e-mail addresses dumped to pastebin Justin C. Klein Keane (Aug 02)