David,
We actually ended up with 4 vlans:
Public: servers accessible to the public via the firewall (e.g. parent,
student access to grades, forms for the public, etc.)
NSD-all: servers accessible to anyone who is on our private network
(print servers, file servers)
NSD-Staff; servers accessible only to staff on our private network
(mail, teacher access to student data)
Technology: servers accessible only by the technology folks and only
from a special management subnet that their workstations have to be on.
This is our private subnet that is locked down in our building or via
the VPN. (database, monitoring, etc.)
We will then limit access between the vlans.
cheers,
ski
On 01/28/2016 08:50 PM, David Lang wrote:
a variation of #2, put the servers on separate subnets and then instead
of trying to maintain separate subnets for the clients, have them use a
VPN to get access to their systems. You need to have some sort of audit
trail in many cases anyway, the VPN up/down audit trail will cover a lot
of it.
David Lang
On Fri, 15 Jan 2016, Ski Kacoroski wrote:
Date: Fri, 15 Jan 2016 14:53:29 -0800
From: Ski Kacoroski <[email protected]>
To: Lopsa Discussion <[email protected]>
Subject: [lopsa-discuss] Network Layout Question
Hi,
I am part of a smallish (16 people) IT group and we are planning to
redo our network layout. Currently we have a very simply layout with
a different class B for each of our 34 sites (e.g. site1 10.191.0.0,
site2 10.172.0.0) with a few subranges defined. This part I have
pretty well figured out based on the network topology and services.
The part I cannot figure out is what is the best practice for our
datacenter. We currently break up subnets by type of machine (linux,
windows, blackbox, etc.). The problem is that anyone on our network
has access to any server which is suboptimal. What I want to do is
limit access to servers and server ports to the groups who need that
access.
I can see two ways to do this with my current set up:
#1: I have an F5 BigIP and could set up vips for each server and then
have everything go through the F5. Pluses are that it would log all
accesses and make block all other ports to the server. I would put
the server team client machines onto a separate management network so
they have direct access to the servers. Downside is setting this all
up and maintaining it.
#2: Set up separate networks for each groups client machines (server
team network team, database team, technology team), set up their
servers on separate vlans, and only allow them access to their
servers. Pluses are once this is set up I only have to make sure the
server is in the correct vlan for the group to have access to it. I
would use the F5 to allow public access to applications running on the
servers. Downside is I have to make sure their client machines are on
the correct vlans.
I am wondering what you have done and what you would do differently if
you had another chance?
Thanks for your time.
cheers,
ski
--
"When we try to pick out anything by itself, we find it
connected to the entire universe" John Muir
Chris "Ski" Kacoroski, [email protected], 206-501-9803
or ski98033 on most IM services
_______________________________________________
Discuss mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
