I'm in a fairly new environment where there is beyond major cleanup needed. I'm partway through standing up 6 new office locations (doubling our number of physical offices) and replacing every speck of network gear at the existing sites.
and I have til feb1 to finish. hooray /s
So yesterday it was brought to my attention some segmentation is needed that was requested of prior admin that never happened. we have a /28 block of computers used to access our cloud servers. there is no direct connection to the cloud from the office by design.
However there is access being allowed that was never intended, and it's audit time.
We have lots of bizarre vlans (lots of empty ones) that have never been used I don't think, cisco gear primarily, etc.
I'm replacing hardware with dell/f10 gear but doing it in chunks. i'm down to core, the biggest user stack, and small stack of non supported but still used for production (it always seems to happen no?) server switches.
The edict was issued that they want all of these "jump" servers be accessable via RDP and SSH from our internal network, but nothing else - but everyone within the internal ips should be able to access (wifi, etc)
right now there is no restriction.
In an ideal world i'd re-ip those bad boys and throw them onto a zone directly connected to firewall and limit access using firewall rules. HOWEVER..... in the next 8 weeks i'll be replacing core switch as well as going from ASA to Palo for firewall.
taking down these remote access servers is very hampered since business must continue.
I could do a bit of a kludge job and use ACLs on the core, but I don't like the idea of doing that and i plan to replace switches in a matter of weeks. I'd prefer to move them to route through a zone on firewall, but that is also getting removed in short order....
and of course they want it done yesterday.... so time is a factor as always.
am I missing any options? which would you go with?
No comments:
Post a Comment