On Fri, 5 Sep 2008, Stephen John Smoogen wrote:
there is also a combination of #1 and #2. Basically you have to
create
3-4 separate network topologies (this is where you have different
configs), and maybe have your bastion/proxy systems different.
Name Network
Network A: Development -- 10.10.0.0/21
Servers -- 10.10.0.0/22
NFS -- 10.10.4.0/22
Network B: QA -- 10.10.8.0/21
Servers -- 10.10.8.0/22
NFS -- 10.10.12.0/22
Network C: Staging -- 10.10.16.0/21
Servers -- 10.10.16.0/22
NFS -- 10.10.20.0/22
Network D: Production -- 10.10.24.0/21
Servers -- 10.10.24.0/22
NFS -- 10.10.28.0/22
Network E: Management -- 10.10.32.0/20
Puppet -- 10.10.32.0/21
Drac/Serial -- 10.10.48.0/21
Network F: Bastion Network
[Ok I would love to have done this when I was at RH... but didn't
really see it in action til later.]
Basically a box would have 3-4 network connections. The puppet and
drac/serial networks are on all systems so have to be extra protected
as that is where an attacker could walk from system to system. The
bastion network is basically the front end that would do rewrites and
other layers so that configs are the same.
And yes, this might be overkill and probably has holes in it.. I am
doing it from memory on how a site seemed to be set up and had
basically little downtime for critical HR services.
We are actually looking to get more network separation in place but right
now thats slow and is going to involve the buildsystem first. But at some
point in the not too distant future I would like to separate stg and
production environments.
-Mike