VLAN vs FSTEC

V

vreitech2013-08-10 12:24:59

Computer networks

vreitech, 2013-08-10 12:24:59

VLAN vs FSTEC

I would like to see the comments of the habravchans who passed or carried out the procedure for checking the computer network to the stated reflections.
If our organization did not require such a procedure from time to time, networking would eventually come down to:
1. At the central switching point within the organization, a managed switch with several 10G ports would be used to communicate with other managers and storage systems; with 1G ports for end nodes; with support for 802.1Q, 802.1x and other goodies like DHCP snooping.
2. Other switching points would use similar switches. 10G ports are for communication with the central switching point, everything else is for end nodes.
3. Next to the central switching point - a server with, well, xen and deployed Windows Server with AD and Linux servers for routing between VLAN segments, selective routing to the Internet and other application services a la DHCP, DNS, TFTP. Connection via 1G or 10G (not critical here).
4. Near the central switching point - storage. 10G connectivity, support iSCSI, SMB, optional NFS.
However, it turns out the network has to match.
We need passports for workstations, monitoring tools, media accounting logs and other logs, a threat model. With this, except perhaps the last point, there are no particular problems. However, there are problems with the requirement to delineate an enterprise LAN.
The router, if used, requires an FSTEC document. There are no problems with this - the same UserGate has the necessary certificate. However, what follows is more difficult. Delivery at the data link layer wraps around tagged links between switching points. De facto, the physical data transmission medium is used simultaneously for the needs of a LAN that does not require protection, and the needs of a LAN with protected equipment. And here questions arise:
- Should the switches at the switching points be certified by the FSTEC as firewalls? As far as I understand, yes.
- Are there certified switches with the characteristics we need: 24 1G ports, 4 10G ports, 802.1Q, 802.1x?
- Has anyone managed to build an organization's LAN using VLANs at the switching nodes and pass the compliance check?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

M

merlin-vrn, 2013-08-10
@merlin-vrn

When building a network here in one institution, physically different equipment is used for the protected and external segments, although this equipment is quite capable of moving weeds; everything is separated by crypto-gateways. Officially, the tender was won by CROC, but they partially lowered it to the subcontractor. I guess it's the "general line of the party" that networks should be built like this.

G

gloft, 2013-12-03
@gloft

The question is somewhat confusing. First, you need to understand what it means to have a FSTEC certificate for software or hardware. Certificates are issued to software or hardware based on whether it meets certain requirements or not. So, in our country there are no requirements for VLANs as a means of protection. There are on the ITU, recently appeared on antiviruses, but not on VLANs. Therefore, we must protect the AU with the means that we have in our country as a means of protection and have requirements on the basis of which you can obtain certificates of conformity. VLANs can be used as additional protection methods, but not the main ones. The main and so far the only means of protection for traffic differentiation / restriction is the ITU.