[c-nsp] Trunked connections from a provider

Oliver Dewdney oliver.dewdney at lbicon.co.uk
Wed Dec 13 04:15:18 EST 2006


Vlans are good enough for the NSA:

Quoting a bit out of context from
http://www.nsa.gov/snac/os/switch-guide-version1_01.pdf

"Separation of networks that do not interact makes good sense as well as
being good security practice. Physically separate networks for Voice and
Data are the most secure, but they can be impractical for all but the most
demanding security environments"

"Logical separation through the use of VLANs stands out as the best solution
in order to balance capability and security within shared network
resources."

Oli Dewdney


-----Original Message-----
From: Aaron Daniels - Lists [mailto:lists at daniels.id.au]
Sent: 13 December 2006 08:58
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Trunked connections from a provider


Hi All,
Our organisation is migrating several separate physical network connections
(Internet + multiple private wan's), into one single physical network
connection to our provider, This will be delivered over ethernet, with each
separate connection in a dot1q trunk, and we will break it out on our
router.

My previous experience is in the telco world and this is how we deployed
multiple vrf's to any customer.

I know that the Security team will scream that it is insecure - Carrying
corporate and internet data on the same physical connection. Security will
insist that the provider deliver us 2 separate connections which we will
need to patch into separate hardware.

My questions are:
1. Am I off base here, does security have a point?
2. Does anyone know of any documentation that I can point management to that
demonstrates this as best practice?

Thanks,
Aaron

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

This e-mail is only intended for the person(s) to whom it is addressed and
may contain confidential information. LBi does not accept responsibility for
any loss or damage caused by this email or any attachments. Unless clearly
stated to the contrary, any opinions or comments are personal to the writer
and are not made on behalf of LBi. If you have received this e-mail in
error, please notify us immediately at info at lbicon.co.uk and then delete
this message from your system. Please do not copy it or use it for any
purposes, or disclose its contents to any other person. Thank you for your
co-operation.

LBi is the business name of Aspect Internet Holdings Limited, Aspect
Technologies Limited, LB Icon Limited and Escador Limited.


More information about the cisco-nsp mailing list