[ednog] FW: CSG policy discussion on Network Security

Mark Poepping poepping at cmu.edu
Mon Jan 2 18:09:38 EST 2006

Folks, I'm participating on a panel discussion later this week and I was
hoping to get a few opinions from this collective expertise regarding your
approaches to subnetting - whether for security reasons or just because you
think it's a good idea.

A few facts:
 . It's just a one-hour session, and the group is pretty small (about 50)
with a mix of CIO's and senior technical folk who are all pretty familiar
with each other.  All are technically capable and interested in architecture
aspects and trade-offs, but gory details will be out of scope.
 . There were a few notes on this in the netguru report that wsa posted a
few weeks ago, but I was hoping to get some sample info on how people are
handling the 'need' for a variety of security policies for individual or
groups of machines.

A few questions (please be encouraged to augment/improve/recast the issue)..
 . presuming you have more than one subnet on your campus, what are the
reasons you want to (or are called upon to) subnet?
    1) limiting the size of broadcast domains
    2) out of addresses, and had to get creative with rfc1918 addresses
    3) stuff' appearing on the net, that somebody wants to separate
	- e.g. VoIP, firewall requests, physical plant devices (locks,
		cameras, various monitors and controllers)
    4) others?

 . presuming that you do employ subnetting for some or all of these needs,
can you say (just a little) more about how you chose to do it?
    1) Do we choose geographic or organizational network topology?
 	 i.e. are subnets allocated to make it easy support from a
	 physical access/location sense (geographic) or to make it easier
	 to implement differential policies or co-locate dispersed
	 workgroups regardless of physical location (organizational)?
    2) Is there a need for more than one class of service (within a given
	 subnet)?  e.g. one for "open" access, one for "closed"/firewalled
	 access, one with NAC, one without, one for quarantine traffic, etc.
    3) If there is a need for multiple service classes, which implies
	 segregation of traffic, is that segregation best achieved at:
	   L1 - sep fiber/copper
	   L2 - VLANs
	   L2.5 - MPLS
	   L3 - IPSEC etc
	   some hybrid?

What can you say about these issues?  I'm happy if you want to follow up to
the list, but I also plan to summarize and post responses.

Thanks for your thoughtful opinions...


Mark Poepping
Head IT Architect; Computing Services; Carnegie Mellon; http://www.cmu.edu
SALSA Chair; Internet2; http://security.internet2.edu

More information about the ednog mailing list