how much safe if a network is separated?

For example, there are cases that an internal network is separated
according to departments, such as finance, engineering, human
resources, etc. even though they share same physical infra.
As far as I know, it could be implemented using subnet, or vlan.

Let's say that an outsider has accessed my internal network
192.168.100.xxx, and I have another network which is 192.168.200.xxx,
and those two networks are separated.
(and both are behind company firewall)

My question here is :
1. If the outsider has a permission to get into 192.168.100.xxx, but he
should be isolated from 192.168.200.xxx. How safe is my network?
2. What methods are available to separate the two networks, and what
are their merits and demerits?
3. How can the outsider break into 192.168.200.xxx network when
above(from number 2) methods are implemented?
4. Hou can I strengthen my network to block the outsider intruding into
192.168.200.xxx when he has accessed 192.168.100.xxx?


I'm sorry that my questions may not seem clever, but I'm not a network
kind of guy.
And your help would be highly appreciated.

Re: how much safe if a network is separated?

hellur wrote:
> 1. If the outsider has a permission to get into 192.168.100.xxx, but he
> should be isolated from 192.168.200.xxx. How safe is my network?

It depends how you're asserting this isolation.

> 2. What methods are available to separate the two networks, and what
> are their merits and demerits?

Usually, one plans with security zones, and in such a concept a firewall
is a connection point between two networks, where you're defining which
traffic may pass through. And then you're implementing this using filtering.

> 3. How can the outsider break into 192.168.200.xxx network when
> above(from number 2) methods are implemented?

This depends on your firewalling implementation.

> 4. Hou can I strengthen my network to block the outsider intruding into
> 192.168.200.xxx when he has accessed 192.168.100.xxx?

This depends on your firewalling implementation.

Yours,
VB.
--
Wenn Du "Ich sehe die Mathematik als einzigen Bereich an, wo es klare
Beweise gibt." und "Ich fuehle mich in einem Anzug unwohl." als Aussagen
mit aequivalentem Meinungsinhalt betrachtest, hast Du mit Deinem Gleichnis
recht. (Michail Bachmann zu Thomas Wallutis in d.a.s.r)

Re: how much safe if a network is separated?

Hi,
The best would be to physically separate the subnets, and connect them
through a firewall router, what can pass depends on how you configure it.
When you have two subnets, but on the same physical network, it depends on
how the incoming connection is filtered, but it's not much of a security.

VLANs act like physically separated networks, but share the same physical
network infrastructure in fact. If your network equipment supports VLANs,
this would be recommended for the costs and flexibility reasons. Once you
separate networks in multiple VLANs, use routing and firewalling to connect
them.

To answer you questions:
1. This depends on what your incoming VPN or firewall permits. However even
if a user if filtered out of a certain subnet he can still gain sccess if
there is an unsecured point in your other network subnet. For instance, he
could connect to a computer that is not well protected and have a go from
there.

2. A short answer is above...

3. That depends on what method you use and how you configure it. When
planning security, remember to evaluate every single point to wich someone
can connect when it gets access inside your network though you incoming
connection.

4. Physical subnet separation / VLANs and careful firewall configuration.

Regards,
Lucius


"hellur" wrote in message
news:1142236611.917496.274800@e56g2000cwe.googlegroups.com.. .
> For example, there are cases that an internal network is separated
> according to departments, such as finance, engineering, human
> resources, etc. even though they share same physical infra.
> As far as I know, it could be implemented using subnet, or vlan.
>
> Let's say that an outsider has accessed my internal network
> 192.168.100.xxx, and I have another network which is 192.168.200.xxx,
> and those two networks are separated.
> (and both are behind company firewall)
>
> My question here is :
> 1. If the outsider has a permission to get into 192.168.100.xxx, but he
> should be isolated from 192.168.200.xxx. How safe is my network?
> 2. What methods are available to separate the two networks, and what
> are their merits and demerits?
> 3. How can the outsider break into 192.168.200.xxx network when
> above(from number 2) methods are implemented?
> 4. Hou can I strengthen my network to block the outsider intruding into
> 192.168.200.xxx when he has accessed 192.168.100.xxx?
>
>
> I'm sorry that my questions may not seem clever, but I'm not a network
> kind of guy.
> And your help would be highly appreciated.
>

Re: how much safe if a network is separated?

Lucius wrote:
> VLANs act like physically separated networks

This is not true for every VLAN implementation I know. Usually, VLANs
act nearly like physically separated networks, and there are some
security drawbacks from the difference.

Yours,
VB.
--
At first there was the word. And the word was Content-type: text/plain

Re: how much safe if a network is separated?

Agreed.

Respects,
Lucius

"Volker Birk" wrote in message
news:441d32d7@news.uni-ulm.de...
> Lucius wrote:
>> VLANs act like physically separated networks
>
> This is not true for every VLAN implementation I know. Usually, VLANs
> act nearly like physically separated networks, and there are some
> security drawbacks from the difference.
>
> Yours,
> VB.
> --
> At first there was the word. And the word was Content-type: text/plain

Re: how much safe if a network is separated?

Volker Birk wrote:
> Lucius wrote:
>> VLANs act like physically separated networks
>
> This is not true for every VLAN implementation I know. Usually, VLANs
> act nearly like physically separated networks, and there are some
> security drawbacks from the difference.

The most common difference being information leakage due to lack of
encryption and separation only on Layer 3 (but not Layer 2 - can you say
Ethernet Broadcast?). Reminding me of some infamous Cisco boxes.