Hello everyone,
My first question a simple one really but just looking for some confirmation or direction.
Using 3 VLAN's across a network i am dealing with and slowly taking over, the current configuration is as follows:
3 VLANs / ranges on a network
VLAN2 - 10.0.2.0 - Web Servers with NAT rules going to them for external access
VLAN3 - 10.0.3.0 - Web Servers / Database Servers
VLAN4 - 10.0.4.0 - Database Servers
VLAN 2 and 3 can communicate (i can ping IP's from either range)
VLAN 3 and 4 can communicate (i can ping IP's from either range)
VLAN 2 and 4 can not communicate
Web Servers have dual NIC's configured one with an IP from VLAN2 routed, and one from VLAN3 not routed (no gateway dns settings)
So webserver1 has 10.0.2.1 and 10.0.3.1 example
Database Servers have dual NIC's configured one with IP from VLAN3 routed and one from VLAN4 not routed (no gateway dns settings)
So database1 has 10.0.3.2 and 10.0.4.2 example
My question is how does this offer more security and separation?
If someone gets into webserver1 they will see both VLAN ranges configured and then just scan the VLAN3 range and then find the database servers and then scan one and find the VLAN4 range, thus making it all visible in the end?
It doesn't appear that there are any firewall rules between the VLANs, thus all ports and traffic is open between them. I take it this is the fault with this set up?
My new network i wanted to design out would consist of 2 VLANs.
Front facing and back end, however i would block all traffic between VLAN's except for windows domain services needed, and access to database ports (My/MSSQL) while using specific SOURCE and DEST IP's for all rules on the LAN side.
Am i going about this correctly, or what should i perhaps do differently?