Multihomed network upgrade

[Guest]

Hello there,

We currently run a VLAN'ed network that uses one 2003 server (multihomed).
We are about to split the networks completely and buy a new 2003 server and
create a brand new domain, but the problem we have is this:-

We are a school, and we need to get all the teachers and admin staff to use
one network (admin) and all the pupils to use the other (curriculum). This
will mean that each lecture hall/Teaching room will have one computer in it
which will need to be part of the admin network (for student registration
etc), but ideally the pupils will want to use the PC to access the curriculum
network and their own user drives.

I would prefer not to use 2 NICs in each computer and a colleague has
suggested that another server could be used as a bridge between the 2
networks, but would this be just as bad from a security point of view as
amulithomed server?

I would really appreciate any guidance you could give me or any pointers to
good online resources.

Many thanks,

 

[Phillip Windell]

I think the idea of using two Domains and two "Networks" is a waiste of time
in the first place. The proper way to control security is by applying the
proper security plan to the students "accounts" or thier machines to limit
what they can do or not do.

The days of "Flat Domains" with NT4.0 are long over. Active Directory
Domains (beginning with Server2000) is designed to do everything with one
domain. The NTFS Permissions and Group Policy are two of the primary tools
used.

Having multiple subnets is not much of a benefit if any at all. There is no
relationship to them and Domains at all to begin with. You could have 50
domains on one subnet or likewise you could have one domain of 50
subnets,...there just is no relationship there.

You could use ACLs on a LAN Router between the subnets, but that is probably
not going to give you the kind of "detailed" control you are looking for.
But you could limit, for example, any SQL traffic (port 443) between certain
subnets. Also, just because the teacher's machine is in the same room with
the students does not dictate that it must be in the same subnet.

I cannot think of any good reason to have multi-homed machines anywhere
except on the network "edge". Machines don't need to Nics to work on two
subnets,...that is what routers are for.

 

[Richard G. Harper]

Let me strongly second Phillip's suggestion here. One domain, correctly
configured, will be much more secure and much easier to maintain than your
"two domains, two worlds, many headaches" plan.

I also see no benefit in putting computers in different subnets. Again, if
you do AD and do it right there's no need to segregate the two networks -
and no need for two networks at all.