Educause Security Discussion mailing list archives

Re: Private Vlans

From: "Flynn, Gary - flynngn" <flynngn () JMU EDU>
Date: Thu, 28 Jul 2011 18:55:27 +0000

Thus far we've stayed away from them for the administrative complexity and
operational difficulties they introduce. It is hard enough for admins to
rollout, troubleshoot, upgrade, and maintain complex applications involving
a dozen different components without requiring another group to be involved
with each and every access need. Instead, we group systems with similar
functionality, trust, and sensitivity classifications together and encourage
the use of host firewalls for isolation from adjacent systems. That said,
we're looking at redesigning the architecture and Jeff's description of
PVLANS for application silos looks attractive. We're also looking at the
possibilities of using more IPSEC based access controls.


From:  Dennis Bohn <bohn () ADELPHI EDU>
Reply-To:  The EDUCAUSE Security Constituent Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU>
Date:  Thu, 28 Jul 2011 13:01:38 -0400
To:  <SECURITY () LISTSERV EDUCAUSE EDU>
Subject:  [SECURITY] Private Vlans

We are in a position to make a few changes on our network, and are kicking
around the idea of private vlans on our server segments.  Our thoughts so far
are:

Advantages:
Prevent a compromised machine from nmapping the segment.
Make it harder (but not impossible) for the compromised machine to communicate
with other machines on the segment.
The idea of servers being isolated, and only able to communicate with the
gateway is attractive.

Disadvantages:
Time/energy to configure
Time/energy to maintain: no matter how much the server admin swears that
server A will never ever ever need to communicate with Server B, .... that day
will come!  It seems like the permutations of necessary server-to-server
communication could be prohibitive.

Has anyone tried this and are there any lessons learned that you would like to
share?

TIA,
Dennis Bohn
Manager of Network and Systems
Adelphi University
bohn () adelphi edu
5168773327



-- 
Gary Flynn
Security Engineer
James Madison University

Attachment: smime.p7s
Description:

Current thread:

Private Vlans Dennis Bohn (Jul 28)
- Re: Private Vlans Everett, Alex D (Jul 28)
- Re: Private Vlans Jeff Kell (Jul 28)
- Re: Private Vlans Flynn, Gary - flynngn (Jul 28)
  - Re: Private Vlans Everett, Alex D (Jul 28)
    - Re: Private Vlans Rich Graves (Jul 29)
- Re: Private Vlans Russ Leathe (Jul 29)
  - University e-mail addresses dumped to pastebin Justin C. Klein Keane (Aug 02)
    - Re: University e-mail addresses dumped to pastebin Vincent Ohprecio (Aug 02)