[179712] in North American Network Operators' Group
Re: Network Segmentation Approaches
daemon@ATHENA.MIT.EDU (Stephen Satchell)
Tue May 5 08:56:29 2015
X-Original-To: nanog@nanog.org
Date: Tue, 05 May 2015 05:53:24 -0700
From: Stephen Satchell <list@satchell.net>
To: nanog@nanog.org
In-Reply-To: <20150505025540.GA19516@bludgeon.org>
Errors-To: nanog-bounces@nanog.org
On 05/04/2015 07:55 PM, nanog1@roadrunner.com wrote:
> Possibly a bit off-topic, but curious how all of you out there segment
> your networks. Corporate/business users, dependent services, etc. from
> critical data and/or processes with remote locations thrown in the mix
> which could be mini-versions of your primary network.
Add "management zone" or "infrastructure zone":
Consider setting up a separate zone or zones (via VLAN) for devices with
embedded TCP/IP stacks. I have worked in several shops using switched
power units from APC, SynAccess, and TrippLite, and find that the TCP/IP
stacks in those units are a bit fragile when confronted with a lot of
traffic, even when the traffic is not addressed to the embedded devices.
Separately, an ISP discovered that a consumer-grade NAS has the same
problem.
These should be on a separate subnet anyway, with unfettered access from
the outside disallowed at the edge. To access the infrastructure
equipment, you would use VPN to bypass your edge router access lists.
If you have a lot of inside equipment not under your direct control,
consider locking them out of the infrastructure subnet, too.
Needless to day, watch the load you direct at these embedded devices.
My current day job installed Solar Winds to monitor everything. The
probes from the software knocked out the SNMP access to all too many of
the PDU devices on the network.
