I've basically started by segmenting my servers/network devices, VoIP, Workstations and Admins on different VLAN's. That was, basically, my Phase 1 approach to segmenting my network. Now I'd like to think the next best approach might be to further segment the Workstations based on actual Departmental use so I can capture the network traffic, via Wire Shark, and then review the captured data and base my ACL's on what is required from each VLAN (Department).
My questions are:
1) Is this the best approach for segmenting? Should I segment down to Department use case or leave all workstations in one VLAN? Smaller numbers in each VLAN sound reasonable and create less broadcast traffic.
2) What is a very easy way to begin defining ACL's to prevent unwanted traffic from crossing VLAN's? I have thought of using an ACL with Deny statements first and then to overcome the implicit Deny All I'd add a Permit TCP Any Any since that would essentially be the same as not having an ACL at all but this way I can at least prevent known threats to start with and then keep adding in an effort to reduce exposure. What are your thoughts on this approach? Can anyone provide a sample of their ACL's used in Production environments so I can have a basis to work off of?
Appreciate any help with this.
No comments:
Post a Comment