Network security for this scenario...

Ev0 · 22 Feb 2011 at 23:18

Ok, I've got a fictional scenario to mull over, not for anything serious just a bit of fun, and my limited networking skills (if you can call them that!) are leaving me a little stumped.

Scenario is this:

You have 2 physical sites, site A and a newly installed site B, each on different continents.

They will be connected by an MPLS link, with each site having their own local internet links for browsing/direct web stuff.

Site A is running an AD infrastructure with a single forest.

Now here's the bit I was stumped on network wise.

There is some data held at site A that site B needs to be able to access, however there is also data at site A that site B should never be able to access.

And that's about all the info given.

So how to do you set things up

Now I get that you could add site B to the AD infrastructure (as a site on the existing domain or as a whole new domain in the forest?) and use permissions to control access to the files at that level.

But what else could you do at a network level, if much at all, that could aid this seperation of access to only the data required?

You're not told how the data is held at site A, is it all mixed in together, is it seperated already there, who knows.

As said it's just a bit of fun, came out of a discussion on a practice exam question I was having with someone the other day and thought I'd ask here to see what people thought

tntcoder · 23 Feb 2011 at 00:13

So I would say that you would have to know how the data is stored at site a to answer properly.

But hypothetically I guess I would enforce some kind of seperation between the two data types, maybe vlan it off? Put it on a subnet only accessible to site a and not route it over the vpn? Depending on how sensitive the data is maybe even airgapping it is an option.

Interesting problem as you say but tricky to answer without more details

Ev0 · 23 Feb 2011 at 08:27

That's the snag, there are no other details

All the wording says is that data is developed and stored by the parent org (site A), however these same systems also hold data not for export for site B. This could be because of regulations from the country site A is situated in.

I had thought about using VLANs to segregate things, but as there are no details on how the data is currently stored it's hard to know if that would be viable or not.

growse · 23 Feb 2011 at 09:19

If you're separating for regulatory reasons (where the impact of governments coming along and fining you is large), I'd advocate completely separated networks and systems on site A, with a decent level of network control (firewall) between them. VLANs might cut it, but it depends really on the type of data and impact of it being accessed by B.

It becomes a lot easier to control access to data if you put data with different confidentiality requirements in separate places. Then you can layer your security and have both permissions enforcing the policies, as well as things like firewalls physically preventing systems on site B access data you don't want it to.

ecksmen · 23 Feb 2011 at 17:10

Replicate the files using DFS between the two servers over a VPN tunnel down the mpls.

Shaz]sigh[ · 23 Feb 2011 at 17:47

ACLs (access control lists) is the simple answer without thinking of anything overly complex.

Shaz]sigh[ · 23 Feb 2011 at 17:50

growse said:
If you're separating for regulatory reasons (where the impact of governments coming along and fining you is large), I'd advocate completely separated networks and systems on site A, with a decent level of network control (firewall) between them. VLANs might cut it, but it depends really on the type of data and impact of it being accessed by B.

Agreed but then you have to mess around with disjointed l2 networks. Could look at something like linesider if required.