Server Separation

[tyanni]

I am reworking our networking infrastructure in prep. for implementing VLANs. Over the next few months we will be bringing additional servers online w\ roles including production\test database servers, web servers, application servers, etc. I am trying to find examples of how others have separated their servers - i.e all database servers on one VLAN, file servers on another, etc. Ideally, servers requiring incoming connections from untrusted subnet ranges will be separate from those allowing incoming connections from only a few static IPs, but I am not sure how best to lay out the new VLANs since I am new to this.

Any suggestions? Hopefully someone has gone through a similar situation and can help. Feel free to PM me if you'd rather keep this off board. Or feel free to just point me in a certain direction - I am fine w\ reading up on it, but haven't found much out there in the way of examples. Lastly, in case someone feels like mentioning this, we are a small department, so this will be happening over a long time and not going into production until I am comfortable w\ it - we aren't going to hire an outside expert.

 

[marulee]

So, ideally a untrust connection for the mainstream then guess you are putting the firewall before your two servers? (eg: 10.0.0.4:xx < 10.0.1.x~x)

 

[tyanni]

Yes, I will have firewall before the servers, the interfaces of which will be VLAN'd off. If I had 8+ Interfaces on the firewall I'd just use subnets and a dedicated interface per subnet, but I am trying to avoid purchasing 4 more interfaces.

Tim

 

[nweaver]

I think you are misunderstanding VLAN's. A VLAN is just a software implementation to make one physical switch into multiple virtual switches. What you are trying to do is above the level of VLAN (Vlan is part of it, but not all). You should be looking at the Layer3 stuff.

i.e. VLAN 1 cannot talk to VLAN 2 unless they are joined somewhere. If you just connect them at layer 2 (plugging a switch into a switch) then you have defeated the purpose. If you plug them in at layer 3 (router) then you can route packets, use ACL's to block specific things, etc. A Layer3 switch will route between VLAN's if you tell it to (so this is transparent)

 

[tyanni]

My apologies if I wasn't clear - I am new to this stuff. My firewall will connect the VLANs to each other, not a switch. My understanding is that the switch and the firewall communicate over a 802.1q trunk, and the switch just forwards the tagged packets to the firewall which takes the appropriate action.

I won't actually be implementing the VLANs on the switch\firewall side, but I do need to come up the use of each VLAN - i.e I need 5 VLANs w\ so many IPs and will be putting these servers on VLAN1, VLAN2, etc. This is why I am asking how people have separated their servers.

Thanks!
Tim

 

[jlazzaro]

still a little bit confusing, but i think i get what your asking...

the only servers really worth segmenting are those publicly accessed vs those that are not. ie put all the web servers into a dmz seperate from everything else, maybe punch a hole for administrative purposes. put all the other servers only accessible to production traffic on another.

imho, not really worth seperating file, database, mail, etc, etc into their own vlans. if there all going to be accessible internally, what does it matter if they can talk to eachother? seperate based on access, not by purpose.

 

[stash]

imho, not really worth seperating file, database, mail, etc, etc into their own vlans. if there all going to be accessible internally, what does it matter if they can talk to eachother? seperate based on access, not by purpose.

Agreed...you would have to open up a lot of ports anyway for it to work properly. Ask yourself this question: what risk are you trying to mitigate? Only once you know the answer to this question can you decide what mitigation will work.

 

[nweaver]

You will have to setup the VLAN's on the router, as dot1q trunks need the VLAN assignments on all devices that are trunked, not to mention you have to have the VLAN's defined to setup routing between them.


If it's purely a management issue (i.e. I want all my servers in this ip schema, all clients here) and you are talking private IP's, go with a 10.0.x.x network, with a class B netmask. then put clients into 10.0.1.x, servers into 10.0.2.x, etc.

 

[spidey07]

From a design perspective VLANs are NOT a security feature and can easily be bypassed.

So, figure out what you want to do and worry about the technology available later. It's not uncommon to have seperate layers/zones in your DMZ that can be locked down and it is VERY common to use seperate interfaces and switches to serve these zones. Repeat - VLANs are NOT a security feature.

1) front end devices (accept connection from Internet, frontended by a load balancer and firewall), this is least trusted
2) application or middleware layer, semi-trusted
3) DB layer - only accepts connections from the app layer and nothing else

What I'm trying to say is it can get real complicated, REAL quick. If this is just a few dozen servers then you might be fine with just one or two security zones. But you need to define these zones based on who and what they need to communicate with.

 

[tyanni]

Wow - thanks for all of the information so far. My biggest concern is that I don't control the subnets\VLANs the desktops\laptops are on. Unfortunately, students are also on some of these subnets, so even a machine exposed only to "internal" ip ranges are as scary as the internet, since the patch status of these machines is very questionable. So I essentially have to treat all access to the server as from "untrusted" sources unless its from my static or one of the other guys in the department.

Spidey07 - the reason I am leaning towards VLANs is 2-fold - (1) it allows me to get by w\ more zones than I have interfaces on the firewall, although it sounds like I should just cough up the money and get more interfaces, and (2) I can do the VLAN tagging internally to my Virtual Infrastructure Server, on a virtual switch, which allows me to bypass needing a separate NIC for each subnet I am using. I can't easily put more NICs in the machine, and if I do I still lose some to load balancing, etc. So going w\, say 8 separate subnets, would require 8 dedicated NICs as far as Virtual Infrastructure is concerned.

Tim

 

[nweaver]

Originally posted by: tyanni
Wow - thanks for all of the information so far. My biggest concern is that I don't control the subnets\VLANs the desktops\laptops are on. Unfortunately, students are also on some of these subnets, so even a machine exposed only to "internal" ip ranges are as scary as the internet, since the patch status of these machines is very questionable. So I essentially have to treat all access to the server as from "untrusted" sources unless its from my static or one of the other guys in the department.

Spidey07 - the reason I am leaning towards VLANs is 2-fold - (1) it allows me to get by w\ more zones than I have interfaces on the firewall, although it sounds like I should just cough up the money and get more interfaces, and (2) I can do the VLAN tagging internally to my Virtual Infrastructure Server, on a virtual switch, which allows me to bypass needing a separate NIC for each subnet I am using. I can't easily put more NICs in the machine, and if I do I still lose some to load balancing, etc. So going w\, say 8 separate subnets, would require 8 dedicated NICs as far as Virtual Infrastructure is concerned.

Tim

the second paragraph makes perfect sense.

The first paragraph....
It does sound as though you will be OK. I assume your firewall supports dot1q, and is also routing? You need to do SOME filtering at layer 3 (IP based) or Layer 4 (TCP/UDP ports) or both.

 

[tyanni]

Firewall supports routing and dot1q.

Think I am all set now - thanks everyone for the help