Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

One of the biggest points of friction I see between networking teams, security t

ID: 655749 • Letter: O

Question

One of the biggest points of friction I see between networking teams, security teams, and users is around the idea of network segregation. For instance, the network team wants to isolate everyone behind VLANs, such that, for example, users would not even be able to browse the IP address of a security tool. The reasoning is that if everything is segregated, then that limits the potential exposure of that sensitive device to attack. Conversely, users in the security team find this cumbersome, because if they need to VPN in and view events at night, they need to utilize a jump box because they cannot access the interface from the VLAN that they are a part of.

What I want to know is how people typically approach this clash between "security" and usability. To me, I would rather the application perform the authentication, rather than rely on which VLAN someone is located.

Explanation / Answer

To your first point, of course there is such a thing as too much segregation. I disagree with the answers already here that network segregation is obsolete or pointless, however. It's important to segregate disparate networks, and perhaps specific pieces of the larger whole.

Consider that a network firewall is a bastion host. It typically runs a very stripped down operating system and is used for a single function. Few users are typically entrusted with access, and changes are also typically backed up automatically using something like rancid.

This affords two things. One is a papertrail of any changes made to these devices, typically done under controlled conditions. Two, it can make it much harder for an attacker to access the data they are after. If a machine is only able to contact systems in its VLAN, it may not have any direct access to your important data. If everything is in a single bucket, a single compromised host immediately becomes a pivot to use against all of your critical infrastructure. If you have segmentation this can become significantly more difficult.

As to how to approach it, you have to balance usability and implementation costs of network segmentation with the value of the data involved. If you're a large organization which can be caused significant financial harm by a breach, it may well be that network segregation makes sense. I typically recommend a jump host with 2-factor authentication to gate any access into a production environment, and a small list of roles with this access.

Related Questions

One of the Best Veog from 1.6 Estrnales and Order-O·Magnitude Calculations 132-3
Question #1573181
One of the Galapagos finches studied by Darwin has woodpecker-like habits and ce
Question #206324
One of the Lowell Merchandising Corporation\'s salaried employees earned $2,800
Question #2454834
One of the Organizational areas that Amazon is struggling is Social responsibili
Question #325847
One of the World\'s largest designers, manufacturers, and distributors of luggag
Question #469288
One of the actions listed are not carried out in interrupt handling. Which one?
Question #1976414
One of the actions listed are not carried out in interrupt handling. Which one?
Question #1976425
One of the actions listed are not carried out in interrupt handling. Which one?
Question #2316244
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
One of the biggest national car grooming franchises, EdHarx Services Ltd has sev
Next
One of the biggest public health crisis in the last few decades has been the Fli

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.