Secure network within insecure setup

Discussion in 'Networking, Telephony & Internet' started by seamer, Dec 11, 2012.

  1. seamer

    seamer Member

    Joined:
    Aug 19, 2001
    Messages:
    1,825
    Location:
    san jose, california
    Hi,

    I'm not an idiot, but I am a little confused. It could also be translation errors, as they're not native English speakers, but let me try to write down what I've been told.

    We have a dedicated firewall/network server (CentOS-based) running the network. Lax rules, no restrictions on devices that people add to it (like personal routers/hubs), as long as it doesn't impact the service for anyone else in the office.

    HQ has sent down a ruling that we have to create a new secure network within the office so we can transfer some high-level services to our branch. The IT guys have assured me that we are not adding new cabling, and are just adding a new switch. That, and some "basic edits" will somehow create a new secure network. The new network will only have internal access, with no access to the real world and vice versa. Allocated machines will be able to access it, but then they will function normally as they're just workstations. All of this will be done without having to swap and plug any other cables in as the situation requires.

    I don't get it. It sounds like they are adding a new subnet with some highly-tuned iptable rules, but it's all sharing insecure hardware anyway. It'd all be IPv4, too, and no IPv6.

    What could I be missing?
     
  2. Rass

    Rass Member

    Joined:
    Jun 27, 2001
    Messages:
    3,128
    Location:
    Brizbekistan
    prolly using vlans to segregate traffic on the switches.

    also need something to stop unauthorised devices from being added to that vlan as well.
     
  3. itsmydamnation

    itsmydamnation Member

    Joined:
    Apr 30, 2003
    Messages:
    10,696
    Location:
    Canberra
    if they add a new switch im guessing they are going to run another interface off the centso box. Connect the new switch to the Centso box and use ip tables to enforce policy.

    they will use the existing cable runs and patching and connect it into the new switch. i recommend changing the color of the patch cables used for the secure "LAN" so they can easily be identified.

    In fed government kind of space this wouldn't pass muster but in the real world this style of setup is pretty common. The issues that normally arise is that the secure lan at some stage will need some kind of internet connection ( patching, firewall updates, connecting to banks/etc). If the end services are using any GTM like services ( akimia etc) then your ip tables based firewalling is boned and you will need a firewall device that can do url/uri inspection.
     
    Last edited: Dec 11, 2012

Share This Page

Advertisement: