Segmenting the LAN for Security purposes

Incident response
Intrusion management
Network security
The worm Mspn32 came in on one machine behind the firewall and spread over e-mail or network to other departments. Could I isolate a worm once it's inside by dividing up my LAN into departments or sections with either departmental firewalls or managed switches and VLANS? Anyone doing this, experience with either, recommended hardware or warnings against doing it this way?

Answer Wiki

Thanks. We'll let you know when a new response is added.

This would NOT be a good idea. First of all, it puts you into a purely reactive (as opposed to proactive) position, you’ll forever be playing catch up.

Second, I doubt very much that it would work without also crippling your production network. After all, a worm just uses the existing network connections just as do your servers and workstations.

As to what you SHOULD be doing, (whether or not your management is allowing the budgeting for this or not). 🙂

– Make sure that all systems – especially those that travel have current anti-virus with automated updating. All respectable vendors have this capability. BUT the travelling ones need stand-alone anti-virus, not the corporate version, because there’s no guarantee that they’ll be on-line when the central server needs to do a push of new definitions or other updates.

– Install an IDS (A free one like snort) with the bleeding-snort rules to look for anomalous traffic.

– Spend some time (again – management support is essential) educating your users.

If your management doesn’t want to support these efforts and expenditures, then point out to them that they’re handcuffing you into a relatively helpless position.

Good luck – you’ll need it,


Discuss This Question: 1  Reply

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Analog
    A few things here. I'm not a hobbyist. I'm real-world kinda guy responsible for dozens of firewalls, intrusion boxes, and related devices. The size of your company and resources have everything to do with how you approach this. First, it is important to realize that you can't rely on any one piece of equipment, practice or tool set to eliminate all potential problem areas. Yes you could divide up your LAN in to departmental firewalls and/or VLANS and yep that might, in some cases, keep worms from spreading. I think your time would be better spent doing other things though. While Antivirus and Spyware removal / detection tools are important, they don't stop everything even if they're updated regularly. And, in some cases it is not feasible to run either of those tools in real-time protection mode. I have seen numerous production environments (servers and workstations) suffer due to real-time protection features of AV software. But by all means, use those software tools every chance you get. They do help a lot. The key is to create multiple ways of detecting, identifying and removing malicious software. A snort box is a great idea. We have 4 Snort network sensors in production right now and believe me you don't just drop a Snort box in and leave it be. You've got to know how to actually use it. Unless you are properly staffed, chances are you're not going to get much use out of it. Too many people install Snort boxes and then have no idea what they are doing with it afterwards. It sits, collecting lots of information that nobody cares to (or knows how) to manage. In other words, be sure you are giving your IDS enough attention after you get it installed. I highly recommend the use of IDS (and IPS too) if you are serious about protecting your network. Employees MUST know basic information about how to prevent worms and other malicious software from getting on their machine. Some level of traning is usually necessary. It does not have to be complicated. Simple is usually better, and you will want a functional security policy that is clearly communicated to everyone as well. Cover the basics. For example, forbid the use of any peer to peer software on your network and you will have successfully eliminated a percentage of possible worm infection right there. Again, simple is good. I think you see the idea here. Read up on 'defense in depth' and other terms floating about the Internet. Again, your approach will totally depend on budgeting, number of employees, executive level support, and so on.
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: