Isolating Network Clients in a DMZ Environment - Intergraph Smart P&ID - Configuration - Intergraph

Intergraph Smart P&ID Workshare Configuration and Reference (2019)

Language
English
Product
Intergraph Smart P&ID
Search by Category
Administration & Configuration
Smart Electrical Version
2019 (9.0)
Smart P&ID Version
9 (2019)
Smart Engineering Manager Version
10 (2019)

All Smart P&ID clients inside the LAN that must access the database server in the DMZ can be isolated on their own sub-network (subnet). Doing this restricts their connections so that they can communicate only with other Smart P&ID clients, the Smart P&ID file server, the Smart Engineering Manager Server, and the Oracle database being used for the project.

To allow access rights on Smart Engineering Manager and file servers if a domain controller is not available, you need to establish a workgroup with local user accounts on the isolated subnet on the LAN.

Subnet Addressing

Two computers belonging to the same subnet do not require an external server (such as DNS or Gateways) to exchange data. This example demonstrates how to determine which IP addresses are considered in your subnet and which ones will not pass through the gateway.

Subnet masks work bitwise and by using a mask.

For example, the following three computers have the following assigned IP addresses:

A: 192.168.1.1
B: 192.168.0.127
C: 192.168.3.1

If A's subnet is set to 255.255.254.0, then B is part of A's sub-network.

Sub-network:

192.168.1.1 and 255.255.254.0 = 192.168.0.0
192.168.0.127 and 255.255.254.0 = 192.168.0.0

Because both A and B addresses are the same bitwise after using the subnet mask, both A and B are considered on the same subnet.

However, C is not part of the same sub-network:

192.168.3.1 and 255.255.254.0 = 192.168.2.0

Using a Router to Segment Computers

LAN segments can be interconnected by routers to enable communication between LANs. Routers allow blocking of other types of traffic while also implementing broadcast filters and logical firewalls.

Routers offer the following benefits in LAN segmentation:

Media Transition — Routers are used to connect networks of different media types, taking care of the Layer 3 address translations and fragmentation requirements.

Packet Filtering — Routers can filter packets either inbound or outbound between LAN segments or LAN and WAN segments.

VLAN Communications — Routers remain vital for switched architectures configured as logically defined virtual workgroups (VLANs) because they provide the communication between VLANs.

Using a Switch to Segment Computers

Switches are data link layer devices that enable multiple physical LAN segments to be interconnected into a single larger network. Switches forward and flood traffic based on MAC addresses and are significantly faster because switching is performed in hardware instead of in software. Switches use either store-and-forward switching or cut- through switching when forwarding traffic.

Segmenting shared-media LANs divides the users into two or more separate LAN segments, reducing the number of users contending for bandwidth.

Switches have the intelligence to monitor traffic and compile address tables, which then allows them to forward packets directly to specific ports in the LAN. Switches also usually provide non-blocking service, which allows multiple conversations (traffic between two ports) to occur simultaneously.

LAN switches can be used to segment networks into logically defined virtual workgroups (VLANs). This logical segmentation, commonly referred to as VLAN communication, offers a fundamental change in how LANs are designed, administered, and managed. Logical segmentation provides substantial benefits in LAN administration, security, and management of network broadcast across the enterprise.