Hello,
We are now in the process of segmenting our network into different VLANS as the first part of our Network Access Control journey. Today there are no restriciton and everything can be accessed as long as you're inside the LAN.
I work as a infosec advisor and rarely touch network. We have contractors who will help us set this up, but we still need to give the directions. And I really want to understand this aswell. It keeps itching in the back of my head.
So lets assume that these are the VLANs we're setting up.
VLAN 1 Servers VLAN 2 Wireless VLAN 3 Users VLAN 4 Others/guest
We were going to use a firewall to segment our traffic based on ports, but had to opt out since the FW cant handle redundency. We will use a layer 3 device (router) which will route between VLANS based on IP address. And give access to print servers etc etc. Its less safe that port based routing, but we cant afford to upgrade the FW. I will start closing ports we're not using.
So to my questions:
-
Is it possible to only allow VLAN 1 to initiate connection to other VLANS? But other VLANS cant initiate connection, except to the allowed IPs? I use OpenVas and would like it to still be able to scan the entire network for vulnerabilites.
-
We will setup a jump host so IT admins can RDP/ssh to all servers safely. We will place the jump host in DMZ. It will not face the internet, only internal. Would it be better to place it inside VLAN 1 instead? Whats the benefits of placing it in DMZ?
-
Setting up a new service on VLAN 1, will require setting up a rule in the router that allows traffic to or from other VLANs, correct?
-
VPN. All users who access our network through VPN is placed on a differnt VLAN. Is it possible to place all VPN connections inside VLAN 2? So kind of a bridge.
Thank you for the help.
No comments:
Post a Comment