Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
954
Views
12
Helpful
5
Replies

Design considerations for implementing a secure segregated VLAN

mitchen
Level 2
Level 2

‎11-19-2008 08:57 AM - edited ‎03-06-2019 02:34 AM

We currently have all our head office servers on one VLAN (on a 6500 series core switch) and accessable from all our remote sites (connected by IPSEC VPN) and from all our head office users.

I would like to segregate some of the servers into their own "secure" VLAN - which would only be accessable from the remote sites which needed to access the servers (and only from certain users within the head office).

I'm looking for suggestions on the best way to acheive this i.e. to segregate the servers from the rest of the network and provide appropriate security etc.

Can I simply create a new VLAN for these servers, and then use an access-list to only allow access from the specific remote sites which would need connectivity with the servers, blocking everything else?

What other suggestions, design considerations should be taken into account for this type of task? Any feedback would be welcomed!

Labels:
0 Helpful
5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

‎11-19-2008 09:42 AM

Neil

"Can I simply create a new VLAN for these servers, and then use an access-list to only allow access from the specific remote sites which would need connectivity with the servers, blocking everything else?"

In a nutshell yes this is exactly what you would do. If all the access to the servers is from your own internal users then using acl's to control access to the servers is probably good enough. You could look to deploy a firewall if you wanted more security but that may be overkill for you.

In terms of additional considerations

1) I'm assuming a new vlan means new addressing ?. If so make sure none of the apps hosted on these servers rely on hardcoded IP addresses rather than DNS lookups.

2) Make sure that if you move some of the servers to the new vlan that any left in the existing vlan do not require L2 adjacency with servers that have moved - clustering springs to mind as an example although if you were clustering you would very probably move the entire cluster.

3) Your VPN access-lists would need updating at both ends with the new subnet details.

Jon

mitchen
Level 2
Level 2
In response to Jon Marshall

‎11-19-2008 10:27 AM

Jon,

thanks, thats very helpful - and also good to know that it seems relatively straightforward to achieve!

One additional thing that just sprung to mind - once I have this set-up, I will then have certain remote sites able to access these particular servers on the new VLAN.

But other devices (i.e. on the "normal" VLAN) in head office will still be able to access the remote offices - so what's to stop someone using a remote office as a "jump point" onto my new "secure" VLAN?

e.g. if someone is able to gain control of a PC at the remote site, they could possibly then use that as a means to connect to the servers on the new VLAN? (Obviously we will have the appropriate user access privileges etc on the servers themselves so I'm perhaps just being overly cautious here!)

Is there any way to mitigate against this sort of thing happening? (As I say, it's possibly a bit of a far-fetched scenario in the first place but I just wanted to make sure I'd thought everything through - my main objective with the creation of the new VLAN is to make these servers more secure)

Neil

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to mitchen

‎11-19-2008 10:39 AM

Neil

It's very difficult to mitigate against this sort of thing or at least it is without spending a bit of money :-)

Perhaps you could restrict what traffic is allowed between your HQ and remote sites as to take control of a PC requires certain protocols such as RDP/PC Anywhere etc..

But often this is just not practical.

Regardless of whether you had a firewall or just acl's to protect your new server vlan the only real way to mitigate against this is by the allowed remote users using an authentication token such as SecurID and you could then use the 6500 to intercept the request and pass of to an ACS server.

But this is a lot of extra work, and even then if a user in HQ can take over a users PC in the remote site while they are logged into one of the servers they would still have circumvented it.

Put simply the best you could do is to authenticate the users but as you say the servers themselves do this. If these servers were accessed externally i may want to look into that but yours aren't.

I suspect there are others that might disagree but i think if you just put your servers on a new vlan and control with ACL's that is a lot better than what you have now.

Jon

mitchen
Level 2
Level 2
In response to Jon Marshall

‎11-20-2008 02:21 AM

Thanks, Jon, that's some very useful feedback.

0 Helpful

Ryan Carretta
Cisco Employee
Cisco Employee

‎11-22-2008 02:57 PM

As Jon previously mentioned, the simplest and most obvious way to do this would be with ACLs.

A combination of security features could make your server site network quite secure (DHCP snooping, Dynamic ARP inspection, IP Source Guard, as well as previously mentioned ACLs).

Another thing you may consider given your design requirement is the use of private vlans. A community vlan may suit your requirement well. Check this link:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/pvlans.html

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card