Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Placement of public access terminals 1

Status
Not open for further replies.
interdaemon

interdaemon

IS-IT--Management
Joined
May 5, 2003
Messages
26
Location
US
Hello, I work at a university and we are trying to justify to management the need to move all public access terminals (such as lab machines) off the inside interface of the PIX and into one of our DMZs. I believe that if I could find cisco documentation (such as SAFE) or other best practice data supporting this, they would go for it. I have had a difficult time finding this, because searching for campus yields fairly useless results, since Cisco uses that as their word for everything. Any help?? TIA
 
Sort by date Sort by votes
Is this what you're looking for?

> public access terminals
What do you mean by "public"?
If it's "any student", then I can imagine that they might want to get back in to the campus network, which would make your DMZ a lot more porous than it need be.

If it's "joe public" wandering in off the street then I'd be a lot more concerned. If this is the case, then I would think you would need something completely separate from the university network - say along the lines of an internet cafe.

--
 
Upvote 0 Downvote
I think you're deluded if you think "Joe Public" is more of a hazard than the student body, but this whole "network thing" needs to be rethought anyway.

Large networks really need to be treated more like the public Internet. You just don't have anywhere near the control or internal trust you might think you do. The hoary old DMZ model just does not work for large networks, but then again it was never meant to. The answer is decentralization into separate networks, each one having its own DMZs and such as required based upon sensitivity.

A giant, homogenous, internal network is an accident waiting to happen. In many large networks this did happen recently with the Blaster worm. One infected laptop connects internally and *bang!* all of your clever firewalling sitting "out front" was for nought.

You need to treat your campus-wide backbone network as a hostile environment. The only safe sandboxes are small sandboxes. Think of a seagoing hull. You don't want one big buoyancy chamber - get one hole and you're sunk.

The trick is figuring out the appropriate granularity for general-use networks (offices, dorms, classroom/lab buildings, etc.), special security requirements for other facilities (academic records, payroll and accounting, sensitive research, data warehouses), and then trading it off against costs and complexity. A major refit I know, but one that can be done incrementally.

Where you take the big hit is in the area of what you can allow to flow. Just like a home user shouldn't expose file services, general RPC access, etc. to the public Internet, you don't want them across your backbone either. Now you have to consider VPNs and such within the campus and/or move workgroup members into the same physical "sandbox" network. Ain't networking fun in a hostile world?

The upside of this is that if you can make it work, your wireless security headaches are limited too. Any given access point only provides blanket access into the one sandbox it is attached to, and the other sandboxes only trust it to a limited extent.

You're right though, I'm not finding supporting papers on such alternatives either.
 
Upvote 0 Downvote
If we moved the student access stations into a DMZ (the same one as our open wireless) they would not need any access to the inside, they would be essentially separate, even their ip scheme would be different. All servers they need access to (such as PDC) would be moved into their DMZ. And we are also in the process of blocking subnets from talking to other subnets, unless explicitly allowed permission is given in the ACL. I am trying to confirm that moving the student access machines off the inside interface on the PIX and onto one of the DMZ interfaces on the PIX is better than nothing, certainly better if that particular DMZ has no connection to the inside, it can't even see it. There are NO open ports from that DMZ to the inside. Are you saying that would not be a good idea?
 
Upvote 0 Downvote
No, if I understand where you'll end up I think I'm agreeing with you.

Where I was going is that the days when you can look at having an "inside" are gone, except on local network segments - basically lots of small "insides." Then the trick is permitting the necessary internetwork traffic in a secure manner.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

2
  • Locked
  • Question Question
Loss of my privacy
Replies
12
Views
2K
Rick998
Rick998
Sparrow4
  • Locked
  • Question Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
1K
Johnkite
Johnkite
Shmid
  • Locked
  • Question Question
Hi We´re thinking of enabling Ac
Replies
0
Views
692
Shmid
Shmid
Shmid
  • Locked
  • Question Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
1K
Shmid
Shmid
Tommy_T
  • Locked
  • Question Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
973
nnaarrnn
nnaarrnn

Part and Inventory Search

Sponsor

Back
Top