a variation of #2, put the servers on separate subnets and then instead of
trying to maintain separate subnets for the clients, have them use a VPN to get
access to their systems. You need to have some sort of audit trail in many cases
anyway, the VPN up/down audit trail will cover a lot of it.
David Lang
On Fri, 15 Jan 2016, Ski Kacoroski wrote:
Date: Fri, 15 Jan 2016 14:53:29 -0800
From: Ski Kacoroski <[email protected]>
To: Lopsa Discussion <[email protected]>
Subject: [lopsa-discuss] Network Layout Question
Hi,
I am part of a smallish (16 people) IT group and we are planning to redo our
network layout. Currently we have a very simply layout with a different
class B for each of our 34 sites (e.g. site1 10.191.0.0, site2 10.172.0.0)
with a few subranges defined. This part I have pretty well figured out based
on the network topology and services.
The part I cannot figure out is what is the best practice for our datacenter.
We currently break up subnets by type of machine (linux, windows, blackbox,
etc.). The problem is that anyone on our network has access to any server
which is suboptimal. What I want to do is limit access to servers and server
ports to the groups who need that access.
I can see two ways to do this with my current set up:
#1: I have an F5 BigIP and could set up vips for each server and then have
everything go through the F5. Pluses are that it would log all accesses and
make block all other ports to the server. I would put the server team client
machines onto a separate management network so they have direct access to the
servers. Downside is setting this all up and maintaining it.
#2: Set up separate networks for each groups client machines (server team
network team, database team, technology team), set up their servers on
separate vlans, and only allow them access to their servers. Pluses are once
this is set up I only have to make sure the server is in the correct vlan for
the group to have access to it. I would use the F5 to allow public access to
applications running on the servers. Downside is I have to make sure their
client machines are on the correct vlans.
I am wondering what you have done and what you would do differently if you
had another chance?
Thanks for your time.
cheers,
ski
_______________________________________________
Discuss mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
