Techblogg

The importance of segmented subnets [Rant]



At hosting companies of small to medium size, smaller customers often get placed into shared
subnets. This has its problems and its advatages, and I thought I´d ellaborate on that for a bit.

The not-so best practise
Several variables needs to be addressed when keeping multiple customers in one subnet.
The main disadvantage is the administration required when allowing a customer with several servers
to communicate with each other. Most major brand firewalls lets you define access rules using a servers
FQDN, while some only allow communication based on IP.

Obviously, this means that allowing communication between two servers, on the same subnet, while still
keeping all other customers on the same subnet out, comes with considerable administration. When the customer
base starts growing and some customers starts to expand, this turns into an administrative nightmare.

The other option, means sticking with an open subnet, where everything can communicate with everything, and
the access rules are controlled via Windows firewall (or iptables) on the hosts. This is about as far away from best
practise as you can get, and I advice you to never touch this, not even with a ten foot pole.

Other problems with keeping clients within the same subnet is the risk of virus infection.
You should always use an antivirus, and preferably one with a good reputation. Yet, it might not be enough.
And when one client gets infected, your entire customer base will get infected.

Yet another problem is growth.
If you place a lot of customers, where some will stay with one server for years while some will have as much as monthly expansion,
you will at some point run out of IP adresses. The odds of a customer growing beyond 253 hosts in a dedicated subnet, is
small to none.

A clever way of handling this, is using DHCP for the entire server base in the subnet, but reserving IP adresses for each client host.
This means that while your customers gets to keep the same IP as if they were static, you can scale the subnet as you wish, while the DHCP
updates the network configuration on your hosts for you.

Last, but absolutely not least, if one of your customers hosts gets compromised (hacked, in lay mans terms), the subnet can be scanned for weaknesses from the inside.
And they will likely be many...

Still, segmented customer networks are preferable in any situation

The advantages of this are so numerous I don´t know where to start.
You can define access rules specific to each customer, where you allow their entire subnet, leaving you free of administration in the case of expansion.
In the event of compromise or virus-infection, the spread will stop within the subnet and can be easily contained.

Growth, as mentioned earlier, won´t be a problem.
The odds of your company having more customers than subnets available from the private range of subnets, are about as likely as you getting hit by a metorite.
Sure, one customer might become so large, that one /24 net wont be enough, so assign them another one. It wont matter, you can spare it.

Remember!
"Back-End" is not a subnet, it´s a definition of what´s not accessible from the internet.