|
-
June 7th, 2004, 08:04 PM
#11
Junior Member
My thoughts exactly - the IS manager isn't very 'savvy', and I have no authority over the process. My head hurts...
-
June 7th, 2004, 08:07 PM
#12
Not concerned about the outside at this point? That's insane, I'm sorry man .. it sounds like your going to have a lot of work on your hands in the future if this is the general attitude.
-gunder
So much to learn, so little time. 
-
June 7th, 2004, 08:14 PM
#13
With your new information and answer for your Boss (Blondie? :P ), i have only one advice:
Do it as they told you.
It doesnt appear to be a regular audit procedure.
So, you dont have ALL information about to argue.
Then, Why counterfight? It will be a good experience for you anyway. VLAN nowadays must be mastered by network admins.
Meu sítio
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt. If I die before I wake, I pray the Lord my soul to brake.
-
June 7th, 2004, 08:19 PM
#14
VLANs can help mitigate the impact of a worm if you make use of rate-limiting and/or ACLs on the (L3)switch/router. Rate limiting allows you to assure a certain minimum amount of bandwith to each vlan (like you mentionned doing with your finance dept.) whereas the worm could easily eat everyone's bandwith otherwise; you're restrincting the scope of the potential DoS...
You could also use acls (with L3 vlans) to make sure that the diffrent depts. don't access each other's ressources (if applicable) or block certain ports (or the reverse, default deny then allow..) at the router... For example, if you're workstations don't share in a peer-to-peer fashion, there's no reason for a developpment workstation to access a finance workstation on ports 137-139, 445, whatever, etc.!
In general, vlans allow you to regroup and segment the network in assets of diffrent priority, priority, vulnerability, value, "mission criticalness", in order to reduce risk and exposure as well as (helping to) ensuring minimum network performance.
Besides, if you're using windows with filesharing with nebios on that network, take a look at how much broadcast is going on on that segment... At 180 hosts on a single segment, I'd consider it worth it even just for the broadcast domain segmentation...
Ammo
Credit travels up, blame travels down -- The Boss
-
June 7th, 2004, 08:24 PM
#15
Hey Tiger, I think they've already been raped....
Dude, you need to get it into the IS manager's head how important it is to even have a basic external scan done....
You might consider finding a new job, one where you don't work for idiots?
EDIT: Tell the IS manager he caused an ID 10-T error...
Real security doesn't come with an installer.
-
June 7th, 2004, 08:32 PM
#16
May I ask why you are so worried about external threats? Have you now firewall installed yet? Are you hosting public services (www, ftp, ... )? Do you particular concerns about your perimeter's security?
As far as I'm concerned, without having the bigger picture, it might be totally reasonable to be focusing on the internal security. To many admins only worry about external attacks and don't apply defense in depth, and quite frankly, I'm surprised that so many in this thread aren't recognizing this fact right now...
Ammo
Credit travels up, blame travels down -- The Boss
-
June 7th, 2004, 08:32 PM
#17
Junior Member
I have some experience with vLANs. Unfortunately, we didn't purchase many L3 switches - only L2 for the workstations, and 2 L3's for the servers and backbone. My biggest concern here is that we have a good bit of our fileshares on a number of different servers, with no "departmental" isolation - the only real benefit we'll have with vLAN is isolating workstation traffic from other workstations. I realize I should be most worried about internal hacks, but I'm pretty good at sniffing 'em out.
As far as a new job is concerned, I have benefits out the wazoo here - hard to match the money as well. Them chains of gold...
-
June 7th, 2004, 08:35 PM
#18
Junior Member
I'm first and foremostly worried about outside attacks at this time. I know that internal attacks are more common, but we've been able to harden most of the more obvious external spots (stateful inspection, port blocks, yadda yadda yadda), and I want to get it solid before we go to the internals. Besides, our typical user isn't very computer-savvy...unfortunately.
-
June 7th, 2004, 08:36 PM
#19
I agree (of course) with Ammo that many admin neglect about their duties about internal security -- a lot of theats come from inside, Vlan is the first step of countermeasures?
Maybe the company are so well secured that its the time to implement Vlan to enhance security.
But it is still (with the given information) looking that the weapon is too big for the size of the enemy...
Meu sítio
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt. If I die before I wake, I pray the Lord my soul to brake.
-
June 7th, 2004, 08:44 PM
#20
Junior Member
And that's the other thing. We're pretty small, and I'm not sure if we need (or can afford) big-time solutions. We have been doing some squid stuff at the workstation level - complex password, etc. If I had my druthers (and money), I'd get some ISS equipment in here and lock that system down tighter. I did some beta for them a long long time ago and was VERY impressed at the time. Dunno what their stuff looks like nowadays.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
