Re: What is your network infratructure security ?


Hello Eric,

Domain internal you can of course separate workstations and servers with VLANs. But for your users you also have the need to access all applications like SQL, IIS etc. i assume, so with all subnets you have to make sure they can work.

Your current ip range consist of 65534 hosts, do you need that amount of, you have really big broadcasting domain that way?
Network: 10.10.0.0 Network mask: 255.255.0.0 First host address: 10.10.0.1 Last host address: 10.10.255.254

To secure your network you have to use firewalls, not subnets. But therefore you have also to make sure, that domain controllers for example, must replicate and therefore needs different ports to be open.

So i think, deviding the big ip range in multiple subnets is fine. But "blocking" domain internal traffic doesn't really help.

Use access control to servers and configure the user workstations to allow or disallow applications and tasks they are able to do. Also configure shared folders for your needs and most important, don't make your users local admin.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


Hello,
(first sorry if I make mistakes as I am not fluent ;-)).
I am working for a big company and we would like to secure our network
infrastructure (Lan ip addresses etc...).

Here is the situation.
Actually, we can say that we have no network security as our
workstations and our servers are in the same LAN (10.10.x.x/16).
We would like to secure this by restructuring our LAN.

I was thinking about doing that :

1. Segment the network by zone (critical, Important, Normal).
2. Each zone will have a specific network address.
3. Each zone will have two sub-zone with two VLANs. The first sub-zone
will be for the "presentation servers" (like IIS etc...) and the
second
sub-zone will protect the datas (SQL Server, specific applications
etc...)
Then a user will :
- only be able to connect to the needed zone (he will not have any
access to the "critical" zone if not needed).
- only be able to connect to the first sub-zone (IIS) and never to the
SQL Server for every zone.
What do you think about this infrastructure ?

Should it be too "heavy" for our network administrators to configure
them ?

Do you have others ideas ? :D

Thanks



.

Relevant Pages

  • Builing a Database conection dialog... the continuing saga.
    ... I have been trying to figure out how to build a database connection dialog ... that I can then add to a couple of applications. ... of servers on the network as a drop-down box similar to what the ODBC ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: applications not responding when saving
    ... This type of issue is one of those is it desktop / network or backend server ... I would also start using some perfermonce monitor counters on all servers to ... not able to handle the applications running on them. ... still having issues that you think are Sharepoint related. ...
    (microsoft.public.sharepoint.portalserver)
  • Re: CNAME only zone?
    ... "com." zone. ... I have seen ugliness of this type from either Network ... Note that there still may be servers that have configured .com as delegation-only and thus it won't work there. ...
    (comp.protocols.dns.bind)
  • SolarWinds Free ipMonitor 9.0
    ... Do you know what's up with your network? ... with all those network devices, servers, and applications that are the ...
    (comp.software.shareware.announce)
  • Re: Domain Rename
    ... Some PCs are only able to browse the Site A network (regardless of whether ... When I look at the DNS entries for the old and new domains the servers ... We deleted the servers from the old DNS zone but the ...
    (microsoft.public.windows.server.dns)