[Tfug] Network partitioning

[Bexley Hall]

Hi Zack,

On 11/4/2013 9:55 PM, Zack Williams wrote:
> On Mon, Nov 4, 2013 at 1:28 PM, Bexley Hall <bexley401 at yahoo.com> wrote:
>> (too early in the morning to be thinking about this stuff)
>
> *cough* is the DST switch getting to you?  :D

<grin>  No, I just have a wacky sleep-wake cycle that only rarely
syncs up with "reality"  :-/  Makes for some interesting discussions!

>> How do you get "internal" and "public" to talk to "shared"
>> without allowing them to talk to each other?  Ditto talking
>> to "exposed"?  And, prevent "exposed" from accessing "shared"?
>
> The traditional way to do what you describe would be to dump "shared"
> in a DMZ, forward only desired traffic to it from internal/public, and
> allow only internet-directed traffic to external.

But, that's not going to happen with just patch panels and colored
wires!  :>

> It sounds like you don't want this.  Are you dealing with protocols
> that do service discovery based on broadcast traffic?  If so, you'd
> could put them all in the same subnet, then auto-learn the MAC
> addresses of everyone on each physical segment via either DHCP
> reservations or ARP discovery, you could classify traffic on a per
> segment basis.  OpenBSD's pf could probably do this with some
> scripting.

I'm aiming for simple so they can deal with it without understanding
all the necessary details.

And, so an IT guy could walk up to it -- possibly *frowning* -- but
at least understanding the intent (without having to hunt for missing
documents, etc.).

[I am always amazed at how often *critical* paperwork gets misplaced
or lost!  I had a client approach me who had lost the *source code*
for his product.  WTF???  Not only are you up sh*t creek without a
paddle but you're also missing the *boat*!]