Fog Creek Software
Discussion Board




Any net admins? or InterVLAN routing for security

I have a radical idea about really securing a network with as many rogue desktops as an university.  How about putting every ethernet switch port on a seperate VLAN and implementing hyper restrictive firewall rules between all the VLANs?  Hence worms couldn't easily spread between users computers.  When I say hyper restrictive I mean something like only allow out bound HTTP connections. 

The only two reasons that I can think of why this wouldn't work are

1) Run out of network address space.  They're aren't that many 192.168.0.0/24 and 10.1.0.0/24 networks. 

2) This would require some pretty serious switches, and start at least the cisco catalyst 2400 level.

christopher baus
Friday, August 22, 2003

"1) Run out of network address space.  They're aren't that many 192.168.0.0/24 and 10.1.0.0/24 networks."

That's not really a problem...  10.0.0.0 is a reserved class A address (10/8); you can subnet a lot of networks out of that.

It seems to me that such a configuration is awfully complicated.  Those running personal firewall software on Windows were just as protected from the recent worm attacks as those with physical firewalls.  It seems you could create an ultra-secure network by installing firewall software on all the desktops and configuring them just as restrictively.  This, of course, would be in addition to having firewalls protecting the network from the outside.

Thoughts?

Almost Anonymous
Friday, August 22, 2003

My thought was keep the security on the network where it can be handled by the admins. 

I think using host based client security is asking for trouble eventually, and leads to patch, patch, patch, hell. 

Plus these are clients.  Make them behave like clients not servers. 

With a security setup like this, you could pretty much a attach an NT 4 default installation to the network and not really worry about it. 

Once the switch config is in place it shouldn't be to hard to implement.  Cisco really needs better tools for managing large numbers of VLANs.  Software startup idea? ; )

christopher baus
Friday, August 22, 2003

It would probably task the switch to the max as well, but I can see the headlines now:

"Economy saved by massive internet work breakout!"

Cisco could sure move a lot cats if a big company went for a config like this.

christopher baus
Friday, August 22, 2003

err make that worm breakout

christopher baus
Friday, August 22, 2003

You can get close by configuring the switch to filter traffic based on MAC addresses.  Hard wire the router's MAC to the right switch port, and and only allow traffic from that MAC to go out to any other switch port.  Put IP access controls on the router, and you're done.

Matt
Friday, August 22, 2003

You shouldn't just restrict to just outbound HTTP connections, especially at a university. However, just allowing outbound traffic might be suitable.

SG
Friday, August 22, 2003

I was wondering if this could be done at Layer 2.  I've only done filtering at the IP level.  At the layer 2 level you could put in filtering rules for machines on the same sub net.  I've never done this before, and I don't think it very common.

By the way I am not a net admin for a university (I only admin our hosting centers part-time). But it seems like an interesting problem.

christopher baus
Friday, August 22, 2003

*  Recent Topics

*  Fog Creek Home