[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Network Segmentation Approaches

Subject: Network Segmentation Approaches
From: morrowc.lists at gmail.com (Christopher Morrow)
Date: Wed, 6 May 2015 17:25:23 -0400
In-reply-to: <[email protected]>
References: <[email protected]> <[email protected]> <[email protected]>

this is really a form of: "A subnet should contain all things of a
like purpose/use."

that way you don't have to compromise and say: "Well... tcp/443 is OK
for ABC units but deadly for XYZ ones! block to the 6 of 12 XYZ and
permit to all ABC... wait, can you bounce off an ABC and still kill an
XYZ? crap... pwned."

segregation by function/purpose... best bet you can get.


On Wed, May 6, 2015 at 3:59 PM,  <charles at thefnf.org> wrote:
>
>> Consider setting up a separate zone or zones (via VLAN) for devices
>> with embedded TCP/IP stacks.  I have worked in several shops using
>> switched power units from APC, SynAccess, and TrippLite, and find that
>> the TCP/IP stacks in those units are a bit fragile when confronted
>> with a lot of traffic, even when the traffic is not addressed to the
>> embedded devices.
>
>
> Yes! This.
>
> I used to have my PDUs/term serves/switches all on one VLAN. As growth
> occurred, they get broken out to dedicated VLANs. With that, the amount of
> false positives from Zenoss went way down (frequently port 80 would report
> down, then clear). I still get some alerts, but far less frequently.

References:
- Network Segmentation Approaches
  - From: nanog1 at roadrunner.com (nanog1 at roadrunner.com)
- Network Segmentation Approaches
  - From: list at satchell.net (Stephen Satchell)
- Network Segmentation Approaches
  - From: charles at thefnf.org (charles at thefnf.org)

Prev by Date: Network Segmentation Approaches
Next by Date: Alcatel-Lucent 7750 Service Router (SR)
Previous by thread: Network Segmentation Approaches
Next by thread: Network Segmentation Approaches
Index(es):
- Date
- Thread