Research areas had private VLAN addresses. The default (initiated with Baker Lab's network upgrade) is that each system will instead have a public IP, within a VLAN shared by all Chemistry research units.

See also

Pros and Cons of changing Chemistry's Research network topology

Consideration

Pros/ Cons to changing,
from a Research Group's perspective

Old:
SOHO router

New:
Public IP

Detection of compromise, and resolution

Pro

CIT could only "see" to the private VLAN level.
Sometimes entire lab's VLAN would be turned off until problem resolved

Problem will be identified to specific compromised device.

Scope of exposure, if there is a compromised machine

Con

Scope limited to a single research group's machines.

Scope potentially expanded to all Chemistry research groups' systems.

Complexity

Pro

Additional components (routers, connections) could fail. (Historically this has not been a liability.)
Components not part of CIT's infrastructure, so service fully provisioned by CRCF. Not all CRCF staff understand how to manage it.

Network architecture fully provisioned by CIT.
Identical to peer networks elsewhere on campus.

Configuration capabilities

Pro

Each exception would require modification of the network's security configuration (access control list, or ACL).
In addition, router can be configured to allow one system to be "seen" from outside the VLAN directly, such as for for SSH or RDP access from outside the VLAN.
Technically possible to add more than one, but really difficult to set up and hard to maintain with current SOHO Routers so simply not done.

Each exception would require modification of the network's security configuration (access control list, or ACL).

 

 

 

 

Other thoughts

Invest in a high-end hardware firewall to serve all of Chemistry's networks. Partner with CU's IT Security to provision this service, which aligns with their strategy. Funding and university prioritization are the current road-blocks, so consider piloting this?

  • No labels