12-06-2016 01:20 PM - edited 03-05-2019 07:37 AM
I'm looking at re-segmenting our network and looking for some advice. Basically our network consists of 25 locations that(each with their own file server,DVR,PBX box,Cisco router and 48POE switch).
Our main CORP location houses 95% of the servers and applications that each branch communicate with across MPLS. We are considering setting up a VLAN for user facing servers, VLAN for security department, VLAN for financial information etc. Each location would have its own user VLAN that would allow them to communicate back to the user facing server VLAN. Users and servers are segmented, although our security department has concerns if someone was to run a scan on the user network that would return all of the servers. Is there a better way of segmenting here?
We don't want the case of writing and managing 100's of line of ACL's either...has anybody re-designed or had any experience here?
12-06-2016 02:15 PM
Hi John,
To bring comfort to your security team and better aid security, it may be more appropriate to place a firewall at your corporate site. The VLANs that you intend to create, would sit behind the firewall.
This can assist with some compliance needs, such as PCI etc.
Additionally, depending on the firewall technologies used etc, you could add more granularity by integrating with Active Directory for per user level control (remote site roaming etc).
12-06-2016 02:35 PM
Thank you for the recommendation...I should have added that we have the necessary firewall setup already.
As an example we wanted to create 2 VLANs...one for the users and one for the majority of the servers at CORP. Security has concerns about putting everything together and are insisting that we use port based ACLs which will take a lot of time to configure(talk to all the vendors). The reason for putting all the servers together is because there are so many different applications running we would end up with 100's of VLANs if we segmented on that principle alone. Again we will have to implement and manage on the ACL's from scratch.
Are we stuck with having to implement multiple VLANs based on applications? Can AD isolate on a per user basis access to certain servers if on same VLAN?
12-06-2016 03:01 PM
OK,
That would be somewhat complex to administer as you mention.
I wonder if you could use private VLANs etc
If the traffic was within the same VLAN/Subnet then, no the AD function would not help as traffic would most likely be switched.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide