> Behalf Of shadow floating
>
> Hi All,
> I've been asked to give an opinion on a network design in which the
> designer did the following to a network on multiple buildings of
> multiple floors:
> 1-each floor is a separate VLAN
> 2-all switches in the floors are layer 3 switches (no layer 2
> switches at all)
> 3-no VLAN spans multiple swtiches,
> 4-each of the floors' switches are connected via point-to-point
> interconnecting VLAN to a core switch
> 5-No spanning tree at all in the network as each switch is a different
> unique VLAN
> 6-All VLANs routing are done via OSPF protocol
> so i have about 50 VLANs with about 50 interconecting VLANs
>
> can any one gives me his opinion from security point of view
> on that design?

You need to start by defining your requirements. If you just want to
keep users from sniffing passwords, that's overkill (any switch will do
that). If you want to prevent any intercommunication between users on
different floors, then you need to define a firewall somewhere.

Define your requirements, then build to it. I'll say that what you have
defined is very flexible so it can probably work as a base for any
security requirements, and your biggest concern will probably be
avoiding management complexity.

Thanks,
Josh
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailma...rewall-wizards

On Jun 15, 2008, at 5:57 AM, shadow floating wrote:

> Hi All,
> I've been asked to give an opinion on a network design in which the
> designer did the following to a network on multiple buildings of
> multiple floors:
> 1-each floor is a separate VLAN
> 2-all switches in the floors are layer 3 switches (no layer 2
> switches at all)
> 3-no VLAN spans multiple swtiches,
> 4-each of the floors' switches are connected via point-to-point
> interconnecting VLAN to a core switch
> 5-No spanning tree at all in the network as each switch is a different
> unique VLAN
> 6-All VLANs routing are done via OSPF protocol
> so i have about 50 VLANs with about 50 interconecting VLANs
>
> can any one gives me his opinion from security point of view on that
> design?
>
> thank you very much
>
> regards,
> Nad


Nad,

While this design provides vast segregation and simplifies Edge adds/
moves/changes from a security perspective, it provides unnecessary
complexity at the Core, making it harder to enforce security policies
and leaves the door open for vulnerabilities from misconfiguration.

Each network is unique to meet the requirements of one or many
organizations. However, as a network and security professional, I
have a number of general concerns with this design:

1) "Each floor is a separate VLAN" & "no VLAN spans multiple switches"

How large are the floors in question? Where are the communication
closets laid out? Having a 90m distance limitation in the horizontal
run from the closet may cause cabling issues, and introduce additional
closets/switches/VLANs on a given floor, unless the "no VLAN spans
multiple switches" rule is broken, and this would also affect the "no
spanning tree" rule. I can picture half a dozen situations where adds/
moves/changes clash against the design.


2) "Each of the floors' switches are connected via point-to-point
interconnecting VLAN to a core switch"

This is one of the areas I see potential for misconfiguration.

What is being done to address redundancy? Sectioning off each switch
as its own VLAN straight to the core creates unnecessary traffic, and
can be an excellent point of attack for network snooping or denial of
service. The omission of a distribution layer can increase overhead
and latency, and reduce network survivability.

Not to mention, since this is over multiple floors and buildings,
traffic has to span greater distances to get to the Core, which
increases latency, and requires a vast amount of backbone
interconnects, since the distances in question would not be suitable
for copper. It would require over 50 connections to the Core over
fiber (assuming single links, no redundancy), since copper is well out
of the question. Labor for installation, termination, and testing of
the fiber optic cabling, GBICs and fiber jumpers for connecting the
hardware, and maintenance/repair of the optical circuits is many times
more expensive than a traditional Core-Distribution-Edge approach.
What advantage does this design provide? Little to none, in my opinion.


3) How are occupants of the building laid out? Is each floor a unique
organization? Is it a department? Are all the individuals that need
access to the Accounting/Financial servers in the same work area, and
thus on the same switch/VLAN? If not, how will your access controls
to your financial database, for example, take place? This would
require a long list of firewall rules to regulate access from diverse
points on the network, and would be hard to maintain, susceptible to
misconfiguration, and generally a security risk that could be avoided.


I would take the time to generate a list of requirements, before
approaching a design. Some factors to consider include:

* Who is accessing the network, and from where? (layout of the
organization(s))
* What do clients need access to? Can these functions be grouped?
* What boundaries should exist between clients and servers, clients
and the Internet, clients and other clients, etc?
* What level of service does the network need to provide? (things will
break! what is acceptable, what isn't)

Your requirements should be derived from business and regulatory
factors. Then, draft a physical design to meet your requirements.

Cheers,

Andrew

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailma...rewall-wizards

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iQEVAwUBSFgseAhPqVlzKBSlAQJ2pgf/XUA+kjiyfLgEgTu2DebPt2OxvFPIrIAJ
I2ly86vgE/WVJD/vcVnIeJsARKOI0MO4MsITsZw+d76OSiai5TNlvlvcwiRh6NxC
mE+UVn+VFFusVezTt/qspmqNypd4RNvWgOnIU9XDFARXD7dNEeUDwgUG6KuWAhIo
Z0ZP1LHaUHk9KLP3uVTeXAPJ5WgX8wi6552qVPrm5LKSI3cnoM YqdrsGv94+6PbY
tLGYfiSquEbpEjVeeY2/LyMNWG2jHUNS2yfu1HDnUvVZ/i6nxulmsw3b0GbJ3r2z
v5asmXTmvxI8WkxlOGVEfkyvt5aOKYHHnSF1UCwTuz+z73p/RfsfZA==
=BjU8
-----END PGP SIGNATURE-----

Hello,

> 1-each floor is a separate VLAN

If you can guarantee that each floor will stay a separate collision
domain, then I would use separate LANs, i.e. Layer 2 switches for
the floors.

> 2-all switches in the floors are layer 3 switches (no layer 2 switches atall)

Why? Nothing in your architecture requires this.

> 3-no VLAN spans multiple swtiches,

Especially because of 1 and 3.

> 4-each of the floors' switches are connected via point-to-point
> interconnecting VLAN to a core switch

Now, for the core switch I would use a pair of layer 3 switches, statically
assign a VLAN for each floor to an _access_ port on each of them,
and connect each floor switch via two uplink ports to each of the core
switches.

The core switches can do the routing statically, since you only
ever configure layer 3 information on two devices. They can
provide redundancy to the access/distribution layer (floor switches
and hosts) via HSRP (in a Cisco world) or some similar means for
layer 3 and spanning tree for the layer 2 connections.

> 5-No spanning tree at all in the network as each switch is a different
> unique VLAN

No spanning tree => no redundancy on layer 2 unless I missed something.

> 6-All VLANs routing are done via OSPF protocol
> so i have about 50 VLANs with about 50 interconecting VLANs
>
> can any one gives me his opinion from security point of view on that design?

Security = C * 1 / Complexity

Your design looks overly complex for the architecture requirements
sketched in 1 - 4.

Kind regards,

Patrick M. Hausen
Leiter Netzwerke und Sicherheit
--
punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe
Tel. 0721 9109 0 * Fax 0721 9109 100
info@punkt.de http://www.punkt.de
Gf: Jürgen Egeling AG Mannheim 108285
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailma...rewall-wizards

Hello,

Sorry for answering myself, but this needs to be corrected:

On Wed, Jun 25, 2008 at 06:49:17PM +0200, Patrick M. Hausen wrote:
> If you can guarantee that each floor will stay a separate collision
> domain, then I would use separate LANs, i.e. Layer 2 switches for
> the floors.

^collision^broadcast

Kind regards,

Patrick M. Hausen
Leiter Netzwerke und Sicherheit
--
punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe
Tel. 0721 9109 0 * Fax 0721 9109 100
info@punkt.de http://www.punkt.de
Gf: Jürgen Egeling AG Mannheim 108285
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailma...rewall-wizards