Re: need opinion of security experts on network design

[Andrew Girling <agirling () denetron com>]

On Jun 15, 2008, at 5:57 AM, shadow floating wrote:

> Hi All,
> I've been asked to give an opinion on a network design in which the
> designer did the following to a network on multiple buildings of
> multiple floors:
> 1-each floor is a separate VLAN
> 2-all switches in the floors are layer 3 switches (no layer 2  
> switches at all)
> 3-no VLAN spans multiple swtiches,
> 4-each of the floors' switches are connected via point-to-point
> interconnecting VLAN to a core switch
> 5-No spanning tree at all in the network as each switch is a different
> unique VLAN
> 6-All VLANs routing are done via OSPF protocol
> so i have about 50 VLANs with about 50 interconecting VLANs
>
> can any one gives me his opinion from security point of view on that  
> design?
>
> thank you very much
>
> regards,
> Nad


Nad,

While this design provides vast segregation and simplifies Edge adds/ 
moves/changes from a security perspective, it provides unnecessary  
complexity at the Core, making it harder to enforce security policies  
and leaves the door open for vulnerabilities from misconfiguration.

Each network is unique to meet the requirements of one or many  
organizations.  However, as a network and security professional, I  
have a number of general concerns with this design:

1) "Each floor is a separate VLAN" & "no VLAN spans multiple switches"

How large are the floors in question?  Where are the communication  
closets laid out?  Having a 90m distance limitation in the horizontal  
run from the closet may cause cabling issues, and introduce additional  
closets/switches/VLANs on a given floor, unless the "no VLAN spans  
multiple switches" rule is broken, and this would also affect the "no  
spanning tree" rule.  I can picture half a dozen situations where adds/ 
moves/changes clash against the design.


2) "Each of the floors' switches are connected via point-to-point  
interconnecting VLAN to a core switch"

This is one of the areas I see potential for misconfiguration.

What is being done to address redundancy?  Sectioning off each switch  
as its own VLAN straight to the core creates unnecessary traffic, and  
can be an excellent point of attack for network snooping or denial of  
service.  The omission of a distribution layer can increase overhead  
and latency, and reduce network survivability.

Not to mention, since this is over multiple floors and buildings,  
traffic has to span greater distances to get to the Core, which  
increases latency, and requires a vast amount of backbone  
interconnects, since the distances in question would not be suitable  
for copper.  It would require over 50 connections to the Core over  
fiber (assuming single links, no redundancy), since copper is well out  
of the question.  Labor for installation, termination, and testing of  
the fiber optic cabling, GBICs and fiber jumpers for connecting the  
hardware, and maintenance/repair of the optical circuits is many times  
more expensive than a traditional Core-Distribution-Edge approach.   
What advantage does this design provide?  Little to none, in my opinion.


3) How are occupants of the building laid out?  Is each floor a unique  
organization?  Is it a department?  Are all the individuals that need  
access to the Accounting/Financial servers in the same work area, and  
thus on the same switch/VLAN?  If not, how will your access controls  
to your financial database, for example, take place?  This would  
require a long list of firewall rules to regulate access from diverse  
points on the network, and would be hard to maintain, susceptible to  
misconfiguration, and generally a security risk that could be avoided.


I would take the time to generate a list of requirements, before  
approaching a design.  Some factors to consider include:

* Who is accessing the network, and from where? (layout of the  
organization(s))
* What do clients need access to?  Can these functions be grouped?
* What boundaries should exist between clients and servers, clients  
and the Internet, clients and other clients, etc?
* What level of service does the network need to provide? (things will  
break!  what is acceptable, what isn't)

Your requirements should be derived from business and regulatory  
factors.  Then, draft a physical design to meet your requirements.

Cheers,

Andrew

Attachment: PGP.sig
Description: This is a digitally signed message part

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards