Educause Security Discussion mailing list archives

Re: Private Vlans

From: "Everett, Alex D" <alex.everett () UNC EDU>
Date: Thu, 28 Jul 2011 17:30:38 +0000

Dennis:

Can you clarify what you mean when you say that it cannot communicate with other machines on the segment?
What would you use the vlan for? Administration or as their only interface for some service?

We use RFC1918 space in different situations.
However, often we route those subnets throughout our infrastructure.
And, any machine on that VLAN can communicate directly to any other in that VLAN in general.
For systems behind our firewalls, we strongly suggest they dont choose RFC1918 space.
We basically state that we will not support NAT, and that if they choose private address space they have to live with 
it.
There is also a much smaller segment of devices for which there is no gateway for the private subnet, and they can only 
communicate with each other.
Generally this is created due to specific needs and security controls.

Sincerely,

Alex Everett, CISSP, CCNA
University of North Carolina
919.445.9393

On Jul 28, 2011, at 1:01 PM, Dennis Bohn wrote:

We are in a position to make a few changes on our network, and are kicking around the idea of private vlans on our 
server segments.  Our thoughts so far are:

Advantages:
Prevent a compromised machine from nmapping the segment.
Make it harder (but not impossible) for the compromised machine to communicate with other machines on the segment.
The idea of servers being isolated, and only able to communicate with the gateway is attractive.

Disadvantages:
Time/energy to configure
Time/energy to maintain: no matter how much the server admin swears that server A will never ever ever need to 
communicate with Server B, .... that day will come!  It seems like the permutations of necessary server-to-server 
communication could be prohibitive.

Has anyone tried this and are there any lessons learned that you would like to share?

TIA,
Dennis Bohn
Manager of Network and Systems
Adelphi University
bohn () adelphi edu<mailto:bohn () adelphi edu>
5168773327

Sincerely,

Alex Everett, CISSP, CCNA
Information Security Office
University of North Carolina at Chapel Hill
919.445.9393

Current thread:

Private Vlans Dennis Bohn (Jul 28)
- Re: Private Vlans Everett, Alex D (Jul 28)
- Re: Private Vlans Jeff Kell (Jul 28)
- Re: Private Vlans Flynn, Gary - flynngn (Jul 28)
  - Re: Private Vlans Everett, Alex D (Jul 28)
    - Re: Private Vlans Rich Graves (Jul 29)
- Re: Private Vlans Russ Leathe (Jul 29)
  - University e-mail addresses dumped to pastebin Justin C. Klein Keane (Aug 02)
    - Re: University e-mail addresses dumped to pastebin Vincent Ohprecio (Aug 02)