Educause Security Discussion mailing list archives

Re: Private Vlans

From: Jeff Kell <jeff-kell () UTC EDU>
Date: Thu, 28 Jul 2011 14:01:17 -0400

On 7/28/2011 1:01 PM, Dennis Bohn wrote:

We are in a position to make a few changes on our network, and are kicking around the
idea of private vlans on our server segments.


Depending on how many things you "do" need to talk to, you may have a sizeable number of
"trusted" doors anyway.

We haven't done this at a server level.  We do however have separate vlans for various
applications, and several server VRFs to isolate related application groups.  That
allows relatively granular access controls without isolating each and every individual
server, and reduces the "broadcast domain" (snooping ability) of a given compromised server.

There was the old Tootsie-Pop security model (hard and crunchy perimeter, but soft and
chewy inside).

Then there was the Onion security model (layers).

Now it's the Garlic model (multiple cloves of isolated functionality sharing a common
stem of infrastructure).

Jeff  :)

Current thread:

Private Vlans Dennis Bohn (Jul 28)
- Re: Private Vlans Everett, Alex D (Jul 28)
- Re: Private Vlans Jeff Kell (Jul 28)
- Re: Private Vlans Flynn, Gary - flynngn (Jul 28)
  - Re: Private Vlans Everett, Alex D (Jul 28)
    - Re: Private Vlans Rich Graves (Jul 29)
- Re: Private Vlans Russ Leathe (Jul 29)
  - University e-mail addresses dumped to pastebin Justin C. Klein Keane (Aug 02)
    - Re: University e-mail addresses dumped to pastebin Vincent Ohprecio (Aug 02)