01-07-2025 11:09 AM
Hello.
In short: What is the correct standard threat prevention way to architect at the enterprise location, an isolated LAN for public use?
I know to use a separate subnet and vlan.
Specifically, does the public subnet and vlan connect to the same physical switch as the sensitive enterprise servers? Does the traffic access the WWW route through the same physical firewall and ethernet cables as does the sensitive enterprise servers?
Thank you!
Solved! Go to Solution.
01-08-2025 08:21 AM
Laugh, the really, really safe way is to not provide it at all.
One reason the forgoing isn't really a joke, although you may first be concerned about protecting your network, what about any liabilities of other networks being attacked from your public portion? (This issue is, somewhat, addressed by needing some form of authentication to get into the "public" network, and often a banner notice we know who you are, you will be held accountable for misuse, your traffic might be analyzied and/or blocked, etc.)
As to an architecture for guarding your internal network, basically it's how paranoid you want to be, as such a public network might be considered as much as a potential threat as the rest of the world.
For example, if you host a DMZ, is it a completely different physical topology where its traffic doesn't transit other of your devices? Ditto for any of your hosts with public IPs not in a DMZ.
Basically, in theory, using a totally separate physical topology is more secure, but at greater expense for the additional hardware.
So, you need to determine how secure you want to be and at what cost to answer your question. That would determine your architecture.
01-08-2025 08:21 AM
Laugh, the really, really safe way is to not provide it at all.
One reason the forgoing isn't really a joke, although you may first be concerned about protecting your network, what about any liabilities of other networks being attacked from your public portion? (This issue is, somewhat, addressed by needing some form of authentication to get into the "public" network, and often a banner notice we know who you are, you will be held accountable for misuse, your traffic might be analyzied and/or blocked, etc.)
As to an architecture for guarding your internal network, basically it's how paranoid you want to be, as such a public network might be considered as much as a potential threat as the rest of the world.
For example, if you host a DMZ, is it a completely different physical topology where its traffic doesn't transit other of your devices? Ditto for any of your hosts with public IPs not in a DMZ.
Basically, in theory, using a totally separate physical topology is more secure, but at greater expense for the additional hardware.
So, you need to determine how secure you want to be and at what cost to answer your question. That would determine your architecture.
01-13-2025 06:50 AM
Thank you for your reply.
Is it standard practice to use the same physical firewall device to segment the DMZ , the WWW, and the sensitive enterprise servers?
01-13-2025 07:22 AM
I'm unsure I would say it's "standard practice" to share the same physical FW device. In my experience, it's a common practice, to minimize cost
It's certainly standard, or even best, practice to implement some security, but it's very variable how it's done and/or how deeply it's done.
I recall from past queries you work within the US military. That, alone, likely makes your network more of a priority target to be breached, also have no idea how "sensitive" your local data is or where entering your system may lead to peer systems. (On the latter, a common issue I've seen, there's major focus on protecting the main Internet path, but remote sites, with an Internet connection, but just for VPN, often seem to be underappreciated that it's also a path into the internal network.)
Don't take this as a personal attack, but I'm concerned you have any need to publicly solicit what's standard practice for securing part of a possible military network. Laugh, it's sort of like asking, what's standard practice for placing a spare key, in a magnetic box, on my auto, or whether the spare house key should be under the welcome mat or a flower pot.
However, perhaps you're in a situation where how to provide security has been proposed and your just trying to sanity check that approach. If such, again, the security approach depends much on the value of what you're protecting.
01-14-2025 06:51 AM
Thank you for your speedy reply Joseph.
Actually the USAF company is an acronym coincidence. I am not afffiliated with anything military. I am flattered that you remember me!
You've answered my question. Thank you!
01-08-2025 03:19 PM
I believe there is no simple answer for that. Complete isolation means cost and not all companies can afford use dedicated hardware for everything. I believe at least you need to consider a DMZ and firewall. If you have wireless, use Anchor/foreign WLC.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide