Jump to content

Fr Robert, tell us about your home network I heard you say once that every person device gets ...

G+_Ian Treleaven

By G+_Ian Treleaven,
in Know How

 Share

Recommended Posts

G+_Fr. Robert Ballecer, SJ Newbie

G+_Fr. Robert Ballecer, SJ

Posted
Posted

1. I don't live in a dorm -- I live in a community of Jesuit brothers. -- Dorms have a lot more noise and booze... while we have a lot more antacids and coffee.

 

2. I run an Enterasys D2 Enterprise switch (12-port Gigabit with PoE + 2 SFPs for the fiber uplink to the campus network.) All my policy is baked into the switch, so it manages all the VLANs in real-time.

 

Connected to the D2 are several HP Intellijacks (Managed 4-port PoE Gigabit switches)

 

As new devices are connected they are put on an untrusted VLAN that has Internet access, but that's it.. If they successfully authenticate 802.1x they get their own trusted VLAN so that they can see my network resources, but not the other devices on the network. 

 

As devices request other devices on the network, and if they are authorized to do so, the switch generates another VLAN tagged to the ports those devices are on.

 

This keeps devices from scanning the network (unless I allow it) and ensures that any rogue devices on the network that start looking for other devices to infect will see nothing on the network but the default gateway. Since "connected" VLANS are generated on the fly between ONLY the devices that are communicating with one another, it also greatly mitigates the possibility of MITM attack by a compromised, trusted device. 

 

I use Xirrus arrays for my WiFi, so the VLAN policy extends even to wireless devices on my network.

 

Peace,

Padre

Link to comment
Share on other sites
  • 4 months later...
 Share
Go to topic listing
×
×
  • Create New...