[techies-for-schools] was: ransomware now: VLAN separation
58 views
Skip to first unread message
Pete Mundy
Apr 1, 2016, 5:22:16 PM4/1/16
to techies-f...@googlegroups.com
Hi Terence,
Any chance you could elaborate on your statement about not relying on VLAN segregation for traffic separation? I'm struggling to understand your reasoning behind using a layer III filter ('firewall') to separate traffic on two logically separate layer II networks.
For example, in schools I commonly see BYOD implemented on it's own ESSID which drops to separate VLAN on tagged uplink via the wired switching network. On the BYOD VLAN there is a separate router and internet firewall. There is no layer III interface for the core switch on this network.
In this scenario there is no logical way for packets to be forwarded from the BYOD devices to the school's server's or internal network as there is no possible layer III path (without them first egressing onto the public internet and coming in via the internal network's firewall).
Can you expand on the reasons for your distrust in the separation provided via this model?
Pete
On 1/04/2016, at 10:13 am, Terence Fleming <Terence...@thinkwireless.co.nz> wrote:Make sure that the devices over which you have no control (e.g. all those BYOD devices) are treated as Untrusted, and that you are leveraging the firewalls in your Access Points to keep BYOD traffic away from sensitive assets (e.g. servers). Keep them on a different VLAN as well if you can, but do not rely on a VLAN alone for security and traffic separation.
Kevin Whelan
Apr 3, 2016, 4:22:30 PM4/3/16
to Techies for schools
I would say most snupped schools have separate SSID that is tagged to separate vlan but share the same core switch and firewall. Ours is certainly like that and it wasn't like we were offered a choice. Your system sounds ultimately better but it all comes down to funding. Some schools on here even have separate network for cameras etc but I think Majority will have standard snup install of one fibre backbone all sharing one core switch and gateway.
Julian Davison
Apr 3, 2016, 5:01:02 PM4/3/16
to techies-f...@googlegroups.com
Keep in mind also the implications of people making their servers available across VLANS (byod printing usually tops this list) as any such devices also provide a potential path for traffic to traverse otherwise distinct VLANs.
As Kevin said, VLANs can be used to provide proper security, but in my experience it's not common for the advantages to be implemented fully (concern about reducing collision domains, rather than traffic security-isolation)
On Mon, Apr 4, 2016 at 8:22 AM, Kevin Whelan <kwhel...@gmail.com> wrote:
I would say most snupped schools have separate SSID that is tagged to separate vlan but share the same core switch and firewall. Ours is certainly like that and it wasn't like we were offered a choice. Your system sounds ultimately better but it all comes down to funding. Some schools on here even have separate network for cameras etc but I think Majority will have standard snup install of one fibre backbone all sharing one core switch and gateway.
--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Pete Mundy
Apr 3, 2016, 5:03:07 PM4/3/16
to techies-f...@googlegroups.com
Heya Kevin
In my example the core switch was still shared between the two networks just as it is in yours, but it has no layer-III interface in the BYOD VLAN and therefore does not provide a layer-III packet-forwarding path between the VLANs.
Sharing the same firewall shouldn't present a problem either, as long as the firewall has a separate layer-III interface for on each VLAN and has separate policies for each network with no routing between either allowed. The N4L firewalls support this no problem.
So no additional funding should be required over a standard SNUP+N4L network. It's just a matter of configuring it all correctly to ensure the separation is maintained. And no need for firewalls in the radios to achieve this (IMO).
Pete
In my example the core switch was still shared between the two networks just as it is in yours, but it has no layer-III interface in the BYOD VLAN and therefore does not provide a layer-III packet-forwarding path between the VLANs.
Sharing the same firewall shouldn't present a problem either, as long as the firewall has a separate layer-III interface for on each VLAN and has separate policies for each network with no routing between either allowed. The N4L firewalls support this no problem.
So no additional funding should be required over a standard SNUP+N4L network. It's just a matter of configuring it all correctly to ensure the separation is maintained. And no need for firewalls in the radios to achieve this (IMO).
Pete
Kevin Whelan
Apr 3, 2016, 5:30:31 PM4/3/16
to Techies for schools
sorry misread We do have separation like yourself and don't allow printing at all.
Terence Fleming
Apr 3, 2016, 7:06:58 PM4/3/16
to Techies for schools
Hi Pete
I think the other posts have covered it off, but I was trying to say that VLAN separation (which is intended for keeping broadcast domains small etc) should not be considered on its own as a complete Security solution, you do also want to incorporate a firewall. (or physical traffic separation)
From time to time we do come across networks with VLAN separation but there are still routes from one VLAN to another, and no firewalling rules restricting untrusted traffic.
From time to time we do come across networks with VLAN separation but there are still routes from one VLAN to another, and no firewalling rules restricting untrusted traffic.
If you have been WSNUPped then you will have Access Points that incorporate firewalls, so you have the tools to apply a security policy at the edge of your network.
All too often we see the firewall in the AP is unused, and Untrusted traffic being delivered straight onto the schools network
Reply all
Reply to author
Forward
0 new messages