Educause Security Discussion mailing list archives
Re: Private Vlans
From: "Flynn, Gary - flynngn" <flynngn () JMU EDU>
Date: Thu, 28 Jul 2011 18:55:27 +0000
Thus far we've stayed away from them for the administrative complexity and operational difficulties they introduce. It is hard enough for admins to rollout, troubleshoot, upgrade, and maintain complex applications involving a dozen different components without requiring another group to be involved with each and every access need. Instead, we group systems with similar functionality, trust, and sensitivity classifications together and encourage the use of host firewalls for isolation from adjacent systems. That said, we're looking at redesigning the architecture and Jeff's description of PVLANS for application silos looks attractive. We're also looking at the possibilities of using more IPSEC based access controls. From: Dennis Bohn <bohn () ADELPHI EDU> Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Date: Thu, 28 Jul 2011 13:01:38 -0400 To: <SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Private Vlans
We are in a position to make a few changes on our network, and are kicking around the idea of private vlans on our server segments. Our thoughts so far are: Advantages: Prevent a compromised machine from nmapping the segment. Make it harder (but not impossible) for the compromised machine to communicate with other machines on the segment. The idea of servers being isolated, and only able to communicate with the gateway is attractive. Disadvantages: Time/energy to configure Time/energy to maintain: no matter how much the server admin swears that server A will never ever ever need to communicate with Server B, .... that day will come! It seems like the permutations of necessary server-to-server communication could be prohibitive. Has anyone tried this and are there any lessons learned that you would like to share? TIA, Dennis Bohn Manager of Network and Systems Adelphi University bohn () adelphi edu 5168773327
-- Gary Flynn Security Engineer James Madison University
Attachment:
smime.p7s
Description:
Current thread:
- Private Vlans Dennis Bohn (Jul 28)
- Re: Private Vlans Everett, Alex D (Jul 28)
- Re: Private Vlans Jeff Kell (Jul 28)
- Re: Private Vlans Flynn, Gary - flynngn (Jul 28)
- Re: Private Vlans Everett, Alex D (Jul 28)
- Re: Private Vlans Rich Graves (Jul 29)
- Re: Private Vlans Everett, Alex D (Jul 28)
- Re: Private Vlans Russ Leathe (Jul 29)
- University e-mail addresses dumped to pastebin Justin C. Klein Keane (Aug 02)
- Re: University e-mail addresses dumped to pastebin Vincent Ohprecio (Aug 02)
- University e-mail addresses dumped to pastebin Justin C. Klein Keane (Aug 02)