-1

What is the general best practice for subnetting a small (abt 15 servers) network of vms and physical machines?

How granular should it be? Do you want to have a logical subnet or vlan for every seperate function in the network?

What is generally the guideline here?

I should add also that this is a small network with the sole purpose of hosting public facing web sites and applications for a small business. There will not be any other external users other than those from the internet.

CorinaLarksExtraMild
  • 13
  • 1
  • 5
  • 2
    You use VLAN's and subnets when you have a need and a reason to use VLAN's and subnets. You don't use VLAN's and subnets for the sake of using VLAN's and subnets. What is your need and your reason for using VLAN's and subnets? And don't say "for security". Give us specifics. – joeqwerty Jan 22 '21 at 17:34
  • Mainly for me it is for security, i want to isolate any potential malicious code or traffic. – CorinaLarksExtraMild Jan 22 '21 at 17:48
  • So you want to create VLAN's and subnets and isolate all of the servers from each other and then set up routing to route traffic between all of the subnets and then set up firewall rules to only allow specific traffic between all of the servers? – joeqwerty Jan 22 '21 at 17:51
  • Pretty much yes except not all the servers will have access to each other, it will be on a as needed basis. The firewall will be on the edge of this network before anything gets in. – CorinaLarksExtraMild Jan 22 '21 at 17:53

2 Answers2

0

What is the general best practice for subnetting a small (abt 15 servers) network of vms and physical machines?

The best solution is probably private vlan, which allows your servers to communicate with a common uplink, but not with each other. This reduces configuration overhead, yet makes lateral movement by attackers a lot more difficult.

vidarlo
  • 6,654
  • 2
  • 18
  • 31
0

There is no "best practice." How you segregate devices depends on your security needs (assets, risks, vulnerabilities, etc.) and how the devices communicate with each other. Every system is different, and it's impossible for us to decide for you.

That being said, generally if you want to restrict traffic between devices or systems, it's easier if they're in separate subnets (VLANs). Then you can restrict access between the subnets.

Bear in mind that VLANs alone provide NO security. You need to apply access control lists (or other types of filtering) to the VLAN interfaces that will enforce whatever security policy you want.

Ron Trunk
  • 2,159
  • 1
  • 11
  • 19
  • When you say vlans themselves provide no security do you mean that malicious traffic can move between different vlans or subnets? If so what mechanism are they using to do that? – CorinaLarksExtraMild Jan 22 '21 at 18:49
  • If two servers are on seperate vlans and have no routing between them isnt that more secure than otherwise? – CorinaLarksExtraMild Jan 22 '21 at 18:55
  • Yes, but VLANs with no routing between them are completely isolated networks. Those systems can't talk with any devices in other networks, including the Internet. I assume that's not what you want. – Ron Trunk Jan 22 '21 at 19:02
  • They would have internet access but it would be behind a firewall so the protection from the internet would be there. My main concern would be malicious code that gets on the network, if its on an isolated vlan i figure it can do less damage. – CorinaLarksExtraMild Jan 22 '21 at 19:09
  • If the firewall is the gateway for that subnet, then it (the firewall) provides the access control list as I described above. But if you have a router (layer 3 device) connecting the subnets, then you will need additional ACLs. It would be helpful if you added a simple diagram to your question. – Ron Trunk Jan 22 '21 at 19:15
  • It wont let me add a diagram as a new user. But essentially its firewall->layer3 switch->servers – CorinaLarksExtraMild Jan 22 '21 at 19:50
  • All the routing will be done on the switch and it is also the gateway for all the subnets and servers. – CorinaLarksExtraMild Jan 22 '21 at 20:04
  • Then you need ACLs on the L3 switch to restrict traffic between subnets, – Ron Trunk Jan 22 '21 at 20:06
  • Can you give an example of what an acl will do? – CorinaLarksExtraMild Jan 22 '21 at 20:12
  • Example: The ACL might allow devices on subnet 1 to initiate a TCP connect on port 1436 to a device on Subnet 2. Devices on subnet 2 can reply but not initiate connections to devices on subnet 1 or the Internet. Or more generally, subnet 1 may have web servers that talk to app servers in subnet 2. The ACL only allows connections on specific ports, and no access to subnet 2 from the Internet. – Ron Trunk Jan 22 '21 at 20:27
  • Nice, thanks for all the info, now i see why acls will be needed. – CorinaLarksExtraMild Jan 22 '21 at 20:31