We're running our own MPLS campus network with lot's of different VRFs for different use cases. We have a VRF for washing machines, VRF for HVAC, VRF for MRI machines etc... so even at this point there are lot's of different segments to manage and create firewall rules for.
Security/compliance guys are pushing towards even tighter setup where we could limit connections between end points within a segment/VRF. Not really sure if preventing PC to PC communication within a VRF would help us security-wise. And would that break Skype for business I though it uses direct connections between endpoints when it thinks it's in the same network?
Aruba per-used tunneled node would let us micro segment the whole lan and have "deny traffic within segment" as the first rule... and that would probably be enough as the traffic towards other segments would traverse physical firewalls.
There are softwares to control windows/linux software firewalls but that doesn't really help if I'm trying to limit how an MRI machine can access other stuff :)
Any ideas or experiences? Seems that it's really vendor lock-in stuff to do this? Or has anyone ever done this? Or do you allow PCs to talk to other PCs and devices to talk to other devices?
No comments:
Post a Comment