I'm currently in a small environment with a single site, about 30 VMs, and 40 users, with a relatively flat network - just 4-5 subnets all open to each other, plus 2 DMZs which are more locked down.
Primarily a cisco shop with a pair of routers and a dozen switches. We also have Palo Altos which are only used for inline IDS but could be used for routing. Mass equipment upgrades are not an option for us, though we do incrementally upgrade a piece or two each year. I realize this is a big handcuff when discussing nearly-rebuilding a network from scratch, but it's what I've got.
I've been recently considering ways to lock down the network to provide better segmentation and security on a network-level, which is more difficult without a lot of the newer features on equipment.
I know something needs to change, but I'm not sure how to best implement without buying a ton of new tech. Without readdressing, all we'd be able to do would be firewall our server subnets from our client subnets. A start, but not great.
Security groups have allowed us to use this microsegmentation for our AWS applications, but the on-premises network is wide open once you breach the border. I'd like to implement a similar microsegmentation, or at least something close to it, on premises.
I've considered putting applications or servers in their own vlan with a /29 or /30 network - or larger where needed, and then routing everything (aside from the obvious like VM storage traffic). Similarly, adding users to department based subnets, allowing more granular access control. This would allow all ACLs to be enforced at a router level, with a default deny-all, only whitelisting specific ports between these small subnets, each subnet being an application, or at least a piece of one.
Is this a crazy idea? Has anyone ever implemented anything like this? What should I watch out for?
No comments:
Post a Comment