I highly recommend that you place all black boxes into their own (small) subnet (either 1 for all of the black boxes or 1 for each type... ie if you have anti-spam servers they all go into 1 subnet) that is considered untrusted.
I was at a company a few years back and we had an audit which included a penetration test. The audit rules were pretty strict with a pass / fail scenario on a number of areas, one of them being unpatched servers. There was a lot of resistance due to the fact that some of the vendors didn't directly play nice saying that we would have to have some of the black boxes with no firewall between them and AD servers, things like that. I eventually made the call to do it anyways as I tend to err on the side of caution. Long story short a few different types of black boxes failed the pen test due to things like openssh not being fully updated (even though it was ssh was firewalled off from the internet) however I was able to show the tester that even if those servers were completely hacked they had no direct access to anything but each other which moved it from a fail to a pass with a note to contact vendor (we were already up to date, they just ran 3-6 months behind on updates). On Fri, Jan 15, 2016 at 3:10 PM, Ski Kacoroski <[email protected]> wrote: > Ted, > > That is an idea we had and then discarded, because of trying to maintain > all the rules on all the different hosts and that some of our hosts are > blackboxes where we cannot set rules on. > > Thanks for the comment. > > cheers, > > ski > > > On 01/15/2016 03:01 PM, Ted Cabeen wrote: > >> What about treating the network as insecure and putting the rules you >> need on individual hosts? >> >> --Ted >> >> On 1/15/2016 2:53 PM, Ski Kacoroski wrote: >> >>> Hi, >>> >>> I am part of a smallish (16 people) IT group and we are planning to redo >>> our network layout. Currently we have a very simply layout with a >>> different class B for each of our 34 sites (e.g. site1 10.191.0.0, site2 >>> 10.172.0.0) with a few subranges defined. This part I have pretty well >>> figured out based on the network topology and services. >>> >>> The part I cannot figure out is what is the best practice for our >>> datacenter. We currently break up subnets by type of machine (linux, >>> windows, blackbox, etc.). The problem is that anyone on our network has >>> access to any server which is suboptimal. What I want to do is limit >>> access to servers and server ports to the groups who need that access. >>> >>> I can see two ways to do this with my current set up: >>> >>> #1: I have an F5 BigIP and could set up vips for each server and then >>> have everything go through the F5. Pluses are that it would log all >>> accesses and make block all other ports to the server. I would put the >>> server team client machines onto a separate management network so they >>> have direct access to the servers. Downside is setting this all up and >>> maintaining it. >>> >>> #2: Set up separate networks for each groups client machines (server >>> team network team, database team, technology team), set up their servers >>> on separate vlans, and only allow them access to their servers. Pluses >>> are once this is set up I only have to make sure the server is in the >>> correct vlan for the group to have access to it. I would use the F5 to >>> allow public access to applications running on the servers. Downside is >>> I have to make sure their client machines are on the correct vlans. >>> >>> I am wondering what you have done and what you would do differently if >>> you had another chance? >>> >>> Thanks for your time. >>> >>> cheers, >>> >>> ski >>> >>> > -- > "When we try to pick out anything by itself, we find it > connected to the entire universe" John Muir > > Chris "Ski" Kacoroski, [email protected], 206-501-9803 > or ski98033 on most IM services > _______________________________________________ > Discuss mailing list > [email protected] > https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss > This list provided by the League of Professional System Administrators > http://lopsa.org/ >
_______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
