What is your network infratructure security ?

Hello,
(first sorry if I make mistakes as I am not fluent ;-)).

I am working for a big company and we would like to secure our network
infrastructure (Lan ip addresses etc...).

Here is the situation.
Actually, we can say that we have no network security as our
workstations and our servers are in the same LAN (10.10.x.x/16).

We would like to secure this by restructuring our LAN.

I was thinking about doing that :

1. Segment the network by zone (critical, Important, Normal).
2. Each zone will have a specific network address.
3. Each zone will have two sub-zone with two VLANs. The first sub-zone
will be for the "presentation servers" (like IIS etc...) and the second
sub-zone will protect the datas (SQL Server, specific applications
etc...)

Then a user will :
- only be able to connect to the needed zone (he will not have any
access to the "critical" zone if not needed).
- only be able to connect to the first sub-zone (IIS) and never to the
SQL Server for every zone.

What do you think about this infrastructure ?

Should it be too "heavy" for our network administrators to configure
them ?

Do you have others ideas ?

Thanks

--
Eric

Hello Eric,

Domain internal you can of course separate workstations and servers with
VLANs. But for your users you also have the need to access all applications
like SQL, IIS etc. i assume, so with all subnets you have to make sure they
can work.

Your current ip range consist of 65534 hosts, do you need that amount of,
you have really big broadcasting domain that way?
Network: 10.10.0.0
Network mask: 255.255.0.0
First host address: 10.10.0.1
Last host address: 10.10.255.254

To secure your network you have to use firewalls, not subnets. But therefore
you have also to make sure, that domain controllers for example, must replicate
and therefore needs different ports to be open.

So i think, deviding the big ip range in multiple subnets is fine. But "blocking"
domain internal traffic doesn't really help.

Use access control to servers and configure the user workstations to allow
or disallow applications and tasks they are able to do. Also configure shared
folders for your needs and most important, don't make your users local admin.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hello,
> (first sorry if I make mistakes as I am not fluent ;-)).
> I am working for a big company and we would like to secure our network
> infrastructure (Lan ip addresses etc...).
>
> Here is the situation.
> Actually, we can say that we have no network security as our
> workstations and our servers are in the same LAN (10.10.x.x/16).
> We would like to secure this by restructuring our LAN.
>
> I was thinking about doing that :
>
> 1. Segment the network by zone (critical, Important, Normal).
> 2. Each zone will have a specific network address.
> 3. Each zone will have two sub-zone with two VLANs. The first sub-zone
> will be for the "presentation servers" (like IIS etc...) and the
> second
> sub-zone will protect the datas (SQL Server, specific applications
> etc...)
> Then a user will :
> - only be able to connect to the needed zone (he will not have any
> access to the "critical" zone if not needed).
> - only be able to connect to the first sub-zone (IIS) and never to the
> SQL Server for every zone.
> What do you think about this infrastructure ?
>
> Should it be too "heavy" for our network administrators to configure
> them ?
>
> Do you have others ideas ?
>
> Thanks
>