cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1319
Views
5
Helpful
28
Replies

One host per subnet concept

alanchia2000
Level 1
Level 1

Hi,

I would like to the limit the damage a virus can do in a network. I was told that having one host per subnet with ACLs can do the trick. Is that the best way to limit the exposure of an attack? Because, if I were to have hundreds of users and machines in the network, wouldn't that be not feasible to deploy? I heard that some major corporations are already doing that. Is it really true?

28 Replies 28

Alanchia,

The idea is retarded. Whoever gets tapped to set this up is going to spend an awful lot of time setting up a lot of filters for something that should be dealt with in SOE policy such as regular software updates and locking down of machines so that users can't turn off the automatic virus updates.

If it's you then I feel sorry for you. I don't reckon it will be too long before your boss reconsiders however. The length of time to set up a users and inflexibility of the network would force me to have a rethink about it pretty quickly if I were him.

I presume you've expressed your opinion, if our bosses still want to do silly things after paying our salary so they don't listen to our opinions, then its their problem.

good luck

Tony Henry

So if every host is on it's own subnet this will stop a zero day attack ?. Well it might, then again it might not. Each host presumably still needs to communicate with a server/server(s). And if that server is infected and the ports that are used to transmit the virus are the same ports that are needed for the client to be able to communicate with the server.

You want to stop zero day attacks. Unplug everything from the network, never connect to the Internet and only share data by printing it out. Sounds ridiculous ? - not much more ridiculous than what he is proposing.

The key points that need to be addressed -

1) What is it he is trying to protect. In no company i have ever worked is every single device on the network equal. What he is proposing is a shotgun approach ie. lets try to solve the problem with a one-size fits all solution.

2) Has he considered the traffic patterns of the network if every single device needs to route to communcate with any other device.

3) Has he proposed how these acl's will be managed. By the way if he is serious about security acl's are not the way to go. Stateful firewalling is needed and now things are really starting to get complicated.

He may have a lot of certifications, more than you, but that doesn't mean he is better than you. Doesn't mean he is worse either. A certification allows you to understand technologies and how they work together. But what it doesn't give you is experience. And although on paper this may seem like a great idea it simply isn't. Here is what i would propose

1) Use /25 or even /26 subnets for your clients.

2) On these client subnets make sure there is nothing that a client needs to communicate with ie. printers etc. need to go on their own subnets.

3) You can then use acl's/firewalls to lock down what ports the clients can use to connect to machines off their vlan.

4) Keep AV up to date on clients. Consider a heuristic agent as well that not only checks for signatures but also "abnormal" behaviour.

The above assumes if a virus gets onto one of the clients then the worse it can do is propogate within the vlan but not outside. Even this is debatable depending on the ports.

If your security guy says that isn't good enough ask him for his analysis of how important each client is to the business and how much cost there is to the business compared with how much cost there is in managing the solution. He has costed up managing the solution right ?

For the servers you can take a different approach. Yes by all means segregate servers by functionlity into separate vlans. IDS/IPS + firewalling are perfectly logical things to do.

Also on the Cisco site there are many useful papers on L2 and L3 security that could be used.

I appreciate it is diffcult for you but everybody on this thread has advised you it really isn't a manageable/sensible solution and there are some pretty experienced people on this thread.

The more complicated you make something the harder it is to manage. The harder it is to manage the more likely mistakes will be made. And the more mistakes you make the less secure your network will end up being.

Jon

I say you handle this security fool the Brooklyn way: Wait til he goes to the bathroom and yoke 'em.

All kidding aside, if this guy is really up the ladder from you, then this is the perfect opportunity for you to make him look like the moron that he is and take his position.

Present your case in bulleted fashion, offer solutions on the network level and the client level, and make sure you put the onus of proof on that jerk.

"I say you handle this security fool the Brooklyn way: Wait til he goes to the bathroom and yoke 'em."

Now i understand how you got to be where you are today :-)

Jon:

Come now, it's a dog-eat-dog world out there, my friend. Sometimes people need a little, how shall we say, convincing. LOLOL

By the way, have you seen Rick Burts? Havent "heard" from him lately on this board -- miss his stuff.

I thought I would add this to the mix

What about creating a MPLS network to obtain the segmentation required

For example create vrf's as follows

vrf for app Servers

vrf for file Servers

vrf for print servers

vrf for client A (multiple clients)

vrf for client B (multiple clients)

vrf for client C (multiple clients)

And then configure appropriate route leakage

This is just a topic for conversation not

a real world solution

Mark

Oh dear, now the security guy will probably decide he wants one VRF per device just to be on the safe side :-)

"By the way, have you seen Rick Burts?"

Not recently no. Maybe he's just taking a well earned rest...

Victor,

"I say you handle this security fool the Brooklyn way: Wait til he goes to the bathroom and yoke 'em." < --- How CRUDE! Do this the Filipino way ... switch his coffee/tea cream with Ex-Lax. He he he ...

Jon,

Everyone in this forum topic is saying that the security "expert" (who probably got his certification from the back of a cereal box), is a dim-wit who probably doesn't know how to implement the solution in the first place.

My 2c ...

Leo/Jon:

By the way, "yoke 'em" means to get him in a headlock and punch him in the face real quick and walk away as if nothing happened. Just needed to clear that point, given that I mentioned that the "yoking" should take place in the bathroom. LOLOL

Victor,

Anything (gruesome) can happen in a bathroom. But switching coffee/tea cream with Ex-Lax can eventuate with a "yoking" too. :)

I do see how all the solutions proposed gels together. VRF and 1 host per subnet has to come together in order for this solution to work. BUT, I will try to convince my superior that the maintenance requires a huge overhead and dissuade him from using this solution.

You're right. In current financial situation, I'd mention that it would incur a significant amount of "financial" overhead: Developing, testing, implementation and support. With the majority to be done after hours, it would mean some overtime pay for you.

WTF ??? You have PAID OVERTIME ??

hmm I need to go talk to my boss now..

but I agree with it beeing a very very expensive solution, and there are better ways to get the same bang or more bang for the buck so to say.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: