Protecting one vlan from others

Discussion in 'Cisco' started by Dralph, Jan 15, 2004.

  1. Dralph

    Dralph Guest

    I am in control of a school system's networks and we have just been
    provided black fiber from our local cable company to hook all the
    schools together. That has been completed and I have separate VLANS
    for all the schools set up on a catalyst 3550 and all is working great
    between the schools. They can see one another, I have migrated alll
    schools into one directory structure --- all has gone great. Now I
    have to incorporate the district office. I have set tehm up on their
    own vlan, but have not given that vlan any access to the others and
    the others have no access to the distict office vlan. They are on
    vlan 4, the other schools are vlan 1-3 and 5-12. Internet access vlan
    is 99. So my question is ---- How do I give my district office
    rights to access anything on the other vlans at the schools, but block
    the schools from accessing the vlan at the district office. Districit
    office should be able to check records on kids and all at every
    school, but no school should be able to touch a single piece of
    equipment on the district office vlan. Thanks in advance, David

    PS: My ip address schemes are 192.168.site.# with site being the
    respective vlan number. ie all printers, comnputers, etc in central
    office are 192.168.4.#. All the equipment in one of the elementary
    schools is 192.168.10.#, etc.
    Dralph, Jan 15, 2004
    #1
    1. Advertising

  2. The solution is a Firewall

    Dralph schrieb:
    > I am in control of a school system's networks and we have just been
    > provided black fiber from our local cable company to hook all the
    > schools together. That has been completed and I have separate VLANS
    > for all the schools set up on a catalyst 3550 and all is working great
    > between the schools. They can see one another, I have migrated alll
    > schools into one directory structure --- all has gone great. Now I
    > have to incorporate the district office. I have set tehm up on their
    > own vlan, but have not given that vlan any access to the others and
    > the others have no access to the distict office vlan. They are on
    > vlan 4, the other schools are vlan 1-3 and 5-12. Internet access vlan
    > is 99. So my question is ---- How do I give my district office
    > rights to access anything on the other vlans at the schools, but block
    > the schools from accessing the vlan at the district office. Districit
    > office should be able to check records on kids and all at every
    > school, but no school should be able to touch a single piece of
    > equipment on the district office vlan. Thanks in advance, David
    >
    > PS: My ip address schemes are 192.168.site.# with site being the
    > respective vlan number. ie all printers, comnputers, etc in central
    > office are 192.168.4.#. All the equipment in one of the elementary
    > schools is 192.168.10.#, etc.
    Helmut Ulrich, Jan 15, 2004
    #2
    1. Advertising

  3. In article <>,
    Dralph <> wrote:
    :I am in control of a school system's networks and we have just been

    :So my question is ---- How do I give my district office
    :rights to access anything on the other vlans at the schools, but block
    :the schools from accessing the vlan at the district office. Districit
    :eek:ffice should be able to check records on kids and all at every
    :school, but no school should be able to touch a single piece of
    :equipment on the district office vlan. Thanks in advance, David

    Someone posted saying that the answer is a firewall. I would agree. I
    would suggest that a PIX 506E might be appropriate for the situation
    you described, but see below.

    You have not told us anything about the protocols involved in the data
    access. If udp is involved, the 3550 is not able to do the kind of
    filtering you want; nor can it handle IPX filtering for Novell. If
    only tcp is involved, you might be able to work it with just the 3550
    by on first permitting tcp 'established' and then denying plain tcp. I
    am not, though, sure at the moment whether the 3550 supports the
    'established' flag.

    You say that all the schools can see each other, and then you say that
    the district offices should be able to check records on kids at each
    school. That tells us that one school can access kids records "and all"
    at other schools. You probably don't really want that!

    You say that "no school should be able to touch a single piece of
    equipment on the district office vlan". Where are the DNS servers?
    Where is the WWW intranet server located then? How do schools submit
    timesheet information, send email to the district office, input
    purchasing orders and asset records, access the file repository for
    site-licensed or commonly used software (even if just the Microsoft
    patches)?

    It seems likely to me that your logical design is not what it should
    be. What I suspect is that you should be doing a lot of firewalling,
    with each school and district office set up with an internal
    area and a dmz for published services. (Let, for example, students
    run intranet servers accessible only by the other schools; it's good
    practice for them and builds board-wide spirit.) You should perhaps
    be running -two- DMZ's per school: one for casual services, and
    the other for the systems that need to be locked down such as
    the education records. But that would depend upon your internal
    policies: is the district office considered to have the right to
    access *any* connected computer at the schools, or just the
    official administrative computers?

    If you start using DMZs then the PIX 506E I mentioned is not suitable;
    you would need at least a 515 or 515E (though there is a rumour that
    this quarter there will be a 506 model released that has a third interface.)
    --
    So you found your solution
    What will be your last contribution?
    -- Supertramp (Fool's Overture)
    Walter Roberson, Jan 15, 2004
    #3
  4. Dralph

    Dralph Guest

    I realize firewalling is an alternative, but that becomes another area
    to manage. Seems to me this cisco 3950 should be able to do something
    along what I am trying to do without having to waste money on more
    equipment. David

    Helmut Ulrich <> wrote in message news:<4006ad9c$>...
    > The solution is a Firewall
    >
    > Dralph schrieb:
    > > I am in control of a school system's networks and we have just been
    > > provided black fiber from our local cable company to hook all the
    > > schools together. That has been completed and I have separate VLANS
    > > for all the schools set up on a catalyst 3550 and all is working great
    > > between the schools. They can see one another, I have migrated alll
    > > schools into one directory structure --- all has gone great. Now I
    > > have to incorporate the district office. I have set tehm up on their
    > > own vlan, but have not given that vlan any access to the others and
    > > the others have no access to the distict office vlan. They are on
    > > vlan 4, the other schools are vlan 1-3 and 5-12. Internet access vlan
    > > is 99. So my question is ---- How do I give my district office
    > > rights to access anything on the other vlans at the schools, but block
    > > the schools from accessing the vlan at the district office. Districit
    > > office should be able to check records on kids and all at every
    > > school, but no school should be able to touch a single piece of
    > > equipment on the district office vlan. Thanks in advance, David
    > >
    > > PS: My ip address schemes are 192.168.site.# with site being the
    > > respective vlan number. ie all printers, comnputers, etc in central
    > > office are 192.168.4.#. All the equipment in one of the elementary
    > > schools is 192.168.10.#, etc.
    Dralph, Jan 15, 2004
    #4
  5. In article <>,
    Dralph <> wrote:
    :I realize firewalling is an alternative, but that becomes another area
    :to manage. Seems to me this cisco 3950 should be able to do something
    :along what I am trying to do without having to waste money on more
    :equipment. David

    David, you mentioned that childrens' education records were going to
    be accessible through this network. Your location is not clear, but
    your email address suggests that you are in the USA. Many states have
    strict privacy laws regarding protecting education records, and
    the restriction structure you have outlined is, it seems to me, unlikely
    to provide sufficient protections under those laws.

    I don't know the exact US equivilent term, but in Canada an education
    record would be considered "Protected/B" information, which would be
    the same class of information as personally-identifiable medical
    records. Information exempt from the Canada Access To Information Act,
    and which must be kept confidential under the Canadian federal Privacy Act.
    Failure to take reasonable steps to protect this class of information
    can bring substantial fines against those who knew or should reasonable
    have known that the protections were insufficient.

    So what will it be: putting in ~$US1000 worth of firewalling per
    school, or risk facing ~$US100,000 in *personal* fines?

    In my opinion, if you do not -already- know what the relevant State
    and Federal legislation says about the kinds of records that will be
    accessible, then you need to hire a security consultant to design your
    security. Talking to the head office of the school board will help,
    yes, but the point would remain that if you don't already know the
    relevant laws then you are not a trained security practitioner and
    will likely not impliment security properly. For example, does your
    State mandate the use of PKI for access to records? PKI is expensive
    to maintain!
    --
    How does Usenet function without a fixed point?
    Walter Roberson, Jan 15, 2004
    #5
  6. A Firewall IS what you need but to elaborate on the last post, all you
    need is a firewall placed between the district office and the other
    VLANs. With stateful packet inspection like a PIX - everything from
    the district office will be able to connect to everyone else (If you
    want) and no-one else will be able to get to the district office (If
    you want)

    Simon
    Simon Tibbitts, Jan 15, 2004
    #6
  7. In article <>,
    Simon Tibbitts <> wrote:
    :A Firewall IS what you need but to elaborate on the last post, all you
    :need is a firewall placed between the district office and the other
    :VLANs. With stateful packet inspection like a PIX - everything from
    :the district office will be able to connect to everyone else (If you
    :want) and no-one else will be able to get to the district office (If
    :you want)

    It looks to me that the schools need to be protected from each other
    (and there could be a legal requirement with that implication, depending
    on jurisdiction.)

    You -could- do the firewalling at the cross-point
    if you are in a hub-and-spoke topology (implied by the original poster),
    but the original poster mentioned having 11 schools, 1 district
    office, and 1 internet connection. That's 13 interfaces. The only
    PIX model capable of that is the PIX 535 Unrestricted, which
    supports up to 10 physical interfaces, and 22 802.1Q VLAN
    (restricted to 24 total interfaces.). That would set you back about
    $US23.5K plus the cost of the physical interfaces.

    If you firewall -at- each site, then depending on performance requirements,
    you could probably get away with a PIX 506E at each school,
    about $US930 each, plus a PIX-515E-R-DMZ-BUN ($US2300) at the hub,
    total price $US12530 plus maint contracts. Costs might be
    significantly more if you wanted fail-over systems... but then a
    single Cat3550 isn't a fail-over system either.
    --
    Pity the poor electron, floating around minding its own business for
    billions of years; and then suddenly Bam!! -- annihilated just so
    you could read this posting.
    Walter Roberson, Jan 15, 2004
    #7
  8. Dralph

    Dralph Guest

    -cnrc.gc.ca (Walter Roberson) wrote in message news:<bu6lvh$d2o$>...
    > In article <>,
    > Dralph <> wrote:
    > :I am in control of a school system's networks and we have just been
    >
    > :So my question is ---- How do I give my district office
    > :rights to access anything on the other vlans at the schools, but block
    > :the schools from accessing the vlan at the district office. Districit
    > :eek:ffice should be able to check records on kids and all at every
    > :school, but no school should be able to touch a single piece of
    > :equipment on the district office vlan. Thanks in advance, David
    >
    > Someone posted saying that the answer is a firewall. I would agree. I
    > would suggest that a PIX 506E might be appropriate for the situation
    > you described, but see below.
    >
    > You have not told us anything about the protocols involved in the data
    > access. If udp is involved, the 3550 is not able to do the kind of
    > filtering you want; nor can it handle IPX filtering for Novell. If
    > only tcp is involved, you might be able to work it with just the 3550
    > by on first permitting tcp 'established' and then denying plain tcp. I
    > am not, though, sure at the moment whether the 3550 supports the
    > 'established' flag.
    >
    > You say that all the schools can see each other, and then you say that
    > the district offices should be able to check records on kids at each
    > school. That tells us that one school can access kids records "and all"
    > at other schools. You probably don't really want that!
    >
    > You say that "no school should be able to touch a single piece of
    > equipment on the district office vlan". Where are the DNS servers?
    > Where is the WWW intranet server located then? How do schools submit
    > timesheet information, send email to the district office, input
    > purchasing orders and asset records, access the file repository for
    > site-licensed or commonly used software (even if just the Microsoft
    > patches)?
    >
    > It seems likely to me that your logical design is not what it should
    > be. What I suspect is that you should be doing a lot of firewalling,
    > with each school and district office set up with an internal
    > area and a dmz for published services. (Let, for example, students
    > run intranet servers accessible only by the other schools; it's good
    > practice for them and builds board-wide spirit.) You should perhaps
    > be running -two- DMZ's per school: one for casual services, and
    > the other for the systems that need to be locked down such as
    > the education records. But that would depend upon your internal
    > policies: is the district office considered to have the right to
    > access *any* connected computer at the schools, or just the
    > official administrative computers?
    >
    > If you start using DMZs then the PIX 506E I mentioned is not suitable;
    > you would need at least a 515 or 515E (though there is a rumour that
    > this quarter there will be a 506 model released that has a third interface.)



    An initial big thank you to all. One of the first things about all
    this privacy between schools and nee4ding firewalls at every school is
    that we are actually only one school considered in our accreditation
    with multiple sites. We are a private school system which allows us
    to do that with a simple K-12 accreditation. So we really do not have
    any big issues with security between schools.

    We are using an IP only network with Novell servers as our main
    backbone. We have a firewall set up at our single internet connection
    point and that is how we protect ourselves from the outside world. I
    presently am using COyote Linux as a firewall between the district
    office and the rest of the schools. It works fine, but I really
    thought this cisco switch should be able to do it.

    I played some yesterday with a access list: using the following setup:

    access-list 1 permit host 192.168.2.1
    access-list 1 permit host 192.168.3.1
    access-list 1 permit host 192.168.8.1
    access-list 1 permit host 192.168.9.1
    etc
    int vlan4
    ip-access group 1 out

    It seemed to do what I needed.

    I have no DNS server set up anywhere and all IP are statically
    assigned --NO DHCP. I felt from the beginning this would make it more
    difficult to accidently run into something by users. ANyhow, after
    doing the access list, the district office could see all servers and
    communicate with them directly. But no machine on a different ip net
    (ie. 192.168.2.25) could even ping the .4 network. I looked at the
    PIX options, but with a total system budget of $24,000 for the year, I
    cannot even think in such terms. Linux may be the only option for me,
    but it appeared the access list worked. What do I need to look at as
    a loophole around this??? Thanks, again, David
    Dralph, Jan 16, 2004
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. hari
    Replies:
    0
    Views:
    576
  2. Replies:
    2
    Views:
    6,905
    java321
    Apr 23, 2006
  3. Replies:
    2
    Views:
    2,750
  4. Booker T. Chip Washington - 87'

    DHCP handles Naks one one vlan differently

    Booker T. Chip Washington - 87', Oct 15, 2007, in forum: Cisco
    Replies:
    0
    Views:
    525
    Booker T. Chip Washington - 87'
    Oct 15, 2007
  5. Mag
    Replies:
    2
    Views:
    1,925
    alexd
    Jan 31, 2009
Loading...

Share This Page