[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Network Segmentation Approaches
- Subject: Network Segmentation Approaches
- From: list at satchell.net (Stephen Satchell)
- Date: Tue, 05 May 2015 05:53:24 -0700
- In-reply-to: <[email protected]>
- References: <[email protected]>
On 05/04/2015 07:55 PM, nanog1 at roadrunner.com wrote:
> Possibly a bit off-topic, but curious how all of you out there segment
> your networks. Corporate/business users, dependent services, etc. from
> critical data and/or processes with remote locations thrown in the mix
> which could be mini-versions of your primary network.
Add "management zone" or "infrastructure zone":
Consider setting up a separate zone or zones (via VLAN) for devices with
embedded TCP/IP stacks. I have worked in several shops using switched
power units from APC, SynAccess, and TrippLite, and find that the TCP/IP
stacks in those units are a bit fragile when confronted with a lot of
traffic, even when the traffic is not addressed to the embedded devices.
Separately, an ISP discovered that a consumer-grade NAS has the same
problem.
These should be on a separate subnet anyway, with unfettered access from
the outside disallowed at the edge. To access the infrastructure
equipment, you would use VPN to bypass your edge router access lists.
If you have a lot of inside equipment not under your direct control,
consider locking them out of the infrastructure subnet, too.
Needless to day, watch the load you direct at these embedded devices.
My current day job installed Solar Winds to monitor everything. The
probes from the software knocked out the SNMP access to all too many of
the PDU devices on the network.