Toms right, that’s a real hard question to even answer without understanding what the end game is.
What end game does this work (better) in? A flat network with 10 users and a printer? I guess.
Sticking a RODC in every segmented network sounds like a ton of work. And not great for security, or at least a lot more work to match the routing approach.
Educate me if I’m missing something obvious.
1 Like
RODC use case is primarily for remote offices on slow links…
Typical best practice for VLANs/Subnets MS Domains is based on the assumption that you have or will have multiple sets of clients across multiple buildings, floors etc.
When you shrink it down to a small office/home lab most of security/management gains of the subnets disappear. Plus the Windows firewalls pretty much police all the client → server traffic.
Only plus I can see for DCs and/servers being separate is to allow for different subnet → WAN firewall policies - similar to what you need for DMZs.
My personal recommendation having used many of them is Palo Alto and Fortinet.
I think it is important to have something that can block/filter traffic that is out of band from the OS. It is common that the AV/EDR is disabled if a system is compromised. If you have a firewall between systems this will be able to catch a compromised system otherwise you may never know until it is too late.
Good security is about layers, not just one tool.
1 Like
agreed with @pjdouillard
Why am i placing a DC in the same subnet as my staff network? Im not following the logic of segmentation here. Also how does this work in an inter-vlan environment?
OP was just asking simply what ports should be opened up. We are overly complicating this by talking about Azure , etc…
Please segment your DC and do not put this on the same network as your users. Thats nonsensical.
1 Like
define the parameters of NGFW. Its a buzz word.
It boils down to SSL inspection. If your firewall does it then generally its considered NGFW. But perhaps there are more criteria we should be looking for?
1 Like
This is not best practice anywhere.