cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1507
Views
5
Helpful
28
Replies

One host per subnet concept

alanchia2000
Level 1
Level 1

Hi,

I would like to the limit the damage a virus can do in a network. I was told that having one host per subnet with ACLs can do the trick. Is that the best way to limit the exposure of an attack? Because, if I were to have hundreds of users and machines in the network, wouldn't that be not feasible to deploy? I heard that some major corporations are already doing that. Is it really true?

28 Replies 28

ohassairi
Level 5
Level 5

it is possible to do it. but i think this a very heavy solution and it will be difficult to manage it.

i think the best way to protect your PC is (in addition to using VLANs and ACL) installing this all in one softwares (antivirus/firewall/IPS) in your computers and you can manage them from a central console by defining different policies and rules for each group/vlan.

keeping your software updated and monitoing logs are very important

I do agree totally with what you have said. In fact, prior to this post, I have brought out this argument and my points doesn't seem strong enough under the scope of security. So let's just say I am forced to go with this solution until someone can propose a stronger argument to convince my bosses.

Having one subnet per host is to be honest a rather dumb idea and i know this is not your idea. Sometimes people in security come up with these great ideas with little understanding of how this impacts on the underlying network.

If you have a L2 access-layer to a layer 3 distro/core this is going to create such a management nightmare you will be spending most of your time trying to keep track of which user is in which vlan, why one user can access a certain app but another can't etc...

It is in my opinion total overkill. There may well be some machines that need extra protection and putting them in their own vlan can be a sensible things to do but i have never worked in an environment where all machines are equal. What is the cost of losing some machines to a virus compared to the management overhead that will be introduced.

By all means segregate machines into vlans based on their importance to the business and then secure accordingly ie. firewalls/IPS (both network and end host), ACL's, 802.1x, Network Admission Control (NAC) etc.. These are sensible precautions to take.

An additional argument could just be bandwidth use. If very device is in it's own subnet and you use L2 from the access-layer for a device to communicate with any other device the traffic would need to be routed to the distro/core layer and then routed back to the other client. This is horribly inefficient as you lose all the benefits of the switch fabric and are now limited to speed of the uplinks to the distro/core.

It's difficult to know how network oriented your security people are. Perhaps if you explained that what they are proposing is like having to maintain a different virus client on each and every host they may understand. That many subnets with that many acl's and there will be mistakes.

Jon

Hi Jon,

Nicely put. Unfortunately, whatever happens, it's always a "network fault": I can't turn on my computer. It's a network fault. The toilet lights are out. It's a network fault. The vending machine is broken. It's a network fault. There's a computer virus on the loose. Rightie-o daddy-o. It's a network fault.

A virus on the loose in a network can easily be mitigated if proper anti-virus software is mandatory in an OEM "image". But this software is useless if someone disables regular update of the anti-virus definition files.

I worked in an organization in 2007 when I discovered (using a packet sniffer) that the Slammer virus is all over the network. I was able to trace it down to a handful of hosts that were running non-OEM software and without any anti-virus software. Of course, the security guys blamed networks because of their thinking "without networks, the virus wouldn't have entered". Oh well ... after shutting down their ports, they got the message and installed anti-virus softwares and updated the definition files.

Well, I am not the manager of my network, so this is not within my jurisdiction. And I am task to execute this "one host per subnet" thingy.

Anyway, is PVLAN and VLAN ACL capable of doing it?

My worries are there are many levels of communications, for example:

1. Client to server

2. Server to server

3. Server to client

This is only going to make things worse with 1 host per subnet. If PVLAN and VLAN ACL can do the job. I will proceed with my studies on making this work in the context of security.

I hope you are paid good money because you are being asked to implement a solution that is only being used in a class (it's not even in a lab) environment.

PVLAN's and VACL's will not necessarily make your job any easier as you have to isolate every single device and control traffic with acl's between every single device.

I appreciate you are not the network manager but perhaps a different approach is to ask security exactly what they want to achieve - not HOW they want it achieved as that is for the network designer to say.

If they give you a list of requirements you could then look into tools/technologies that will achieve what you need.

Note that "each host on it's own subnet" is not a requirement. A requirement would be "If a host on a subnet gets infected it's impact on the rest of the network should be minimal".

Now that could mean only hosts on the same subnet and not any others or it could mean no other hosts at all but this needs to weighed up against the extra administrative cost of managing the solution.

Ask security which machines are critical in the business - if they say every single one then get a new security dept :-). Seriously though perhaps if they categorized servers/desktops by their importance.

Don't assume security people know about networks. They may but they may not. Last company i worked for had a network that covered the entire UK with over 1000 sites and an MPLS WAN. One of the security guys had used Microsoft ISA server from his previous company to lock down DHCP requests and stated we should do the same. Looking into what he had used it became clear that what they did only worked with L2 networks and not across L3 routed networks. When i explained this to him he could not see the problem with turning our entire network into one L2 flat network. Funnily enough we didn't go ahead with that implementation :-).

None of us on this thread are trying to make your job harder. We are just saying that it really isn't a scalable solution at least not without tools that can automate an awful lot of the administration but even then it makes little sense.

Jon

I agree with Jon 110%. The idea of placing each and every host in its own vlan is beyond overkill, its absurd.

We can all protect ourselves from infecting each other with germs and viruses by wearing astronaut suits all day, but how practical or reasonable is that?

Your network security team should be focusing on perimeter security ie, firewalling, IDS/IPS, etc. As an aside, I prefer separate appliances and not swich modules, if you use Cisco devices. Moreover, you can even implement a security paradigm in which you firewall between vlans within your enterpris, as companies who maintain sensitive client databases do to satisfy SOX and HIPAA requirements.

These are the things you can do from a network perspective.

Then the security/desktop support team needs to focus on personal security, like PC-based firewalls, virus scanners, etc.

HTH

Victor

Hi Jon,

I appreciate your honesty and sincere advice in this matter. However, the point has been made in the first post. It must limit the damage done by a virus or even a zero day attack which I have trouble defending my argument.

And yes, I do strongly agree that PVLAN and VACL does not made my job any easier.

For me, I prefer to have my solutions simple and easy to maintain and thus strong. However, implementing "one host per subnet" is very prone to configuration issues and very very unscalable. I will put those cons in my proposal. If he accepts that, then it's I will have to deploy it.

csthorne
Level 1
Level 1

Seems like it would be easier to set it up like the old telephone operator did. When someone wants to talk to another, just plug both into the switch, then after a prearranged time limit unplug both then wait for the next request.

Edison Ortiz
Hall of Fame
Hall of Fame

Is it really true?

False.

Just think how big the routing table would be on a 1k user site.

Your recommendation should concentrate at the WAN edge not the LAN edge. Most viruses attack come from the outside, not the inside and when it comes from the inside, it was caused by workstations that weren't properly patched.

The network can't solve the problem of having a flawed patching system for workstations.

At the WAN edge and even for internal edge monitoring, I recommend taking a read to the IOS documentation (Security section) for options:

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/12_4/sec_12_4_book.html

You can implement IPS/IDS - Network Admission Control among other features available in IOS.

The client is looking at you as the expert - do your thing.

__

Edison.

They are right. The Security people are already in the wrong to dictate the "solution" even though it's questionable. If you run with this, not only will your implementation will be difficult, but you might as well be under their control.

If you can't talk the Security team out of their half-baked solution, set up a proof-of-concept network to verify.

Hi,

Everyone, thanks for the suggestions. Unfortunately, the person proposing this solution is a network AND security person. By network, I mean he has many Cisco qualifications. And I am just only 1 paper away from my CCNP. I do know about the consequences about implementing his proposed solution, and yes, I am planning to set up a proof of concept to prove something.

If you do meet someone who has that many qualifications and is your superior. How much of convincing can you do?

The whole point is that he is trying to limit the damage that can potentially be done to the network. I do know a whole lot of tools which may solve that issue, but all those solutions require a signature which might not work on zero day attacks. So this is the one point I am unable to counter propose.

Review Cisco Networking for a $25 gift card