[ednog] FW: CSG policy discussion on Network Security

John Kristoff jtk at northwestern.edu
Thu Jan 5 22:29:42 EST 2006 

On Mon, 2 Jan 2006 18:09:38 -0500
"Mark Poepping" <poepping at cmu.edu> wrote:

>  . presuming that you do employ subnetting for some or all of these
>  needs,
> can you say (just a little) more about how you chose to do it?
>     1) Do we choose geographic or organizational network topology?

I prefer to do it based on simple geography wherever possible, typically
limiting the subnet to a floor or building.  I like subnet sizes to be
/24's if possible since that is easiest for most support persons to deal
with generally.  There are some exceptions for particular classes of
services (e.g. network management) that don't span the single geographic
area, but this is an easily managed exception to the rule.

Note, I've often seen and have had to do it base on function/group (e.g.
physics dept.), which may span disparate locations, resulting in things
like VLAN trunking across.  I don't like doing this generally, because
I think the network complexity this gives you is far worse than some of
the advantages keeping like systems in the same subnet provides.  The
geographic solution also tends to help force you to do better security
rather than relying on group based subnet address filters, but that can
be a drawback too I suppose.

>     2) Is there a need for more than one class of service (within a
>     given
> 	 subnet)?  e.g. one for "open" access, one for
> 	 "closed"/firewalled access, one with NAC, one without, one for
> 	 quarantine traffic, etc.

Often yes and this is why no solution is a no brainer.  I've had this
harebrained idea of having just host routes (/32's) in the IGP.  For
some things, this would solve a problem of problems.  For others it
would make them worse.  Practically speaking, it just doesn't work.  :-)
One unique attempt I've seen and tried is to put certain classes of
hosts in different parts of the subnet and micro-filter at the first
hop gateway based on the micro-blocks.  For most it probably just
complicates things and doesn't provide a whole lot of real protection.

John

More information about the ednog mailing list