Hi,
we're redisigning our network segmentation, and I have some doubts, hope you can help me to clarify:
- VLAN for department segmentation: We are considering about segmentating the network based in department, just to break down our network to improve security (lateral movement, reducing surface). But since our users can connect to any plug in the network (we have open offices), can work from home (VPN) or connect to the wifi, I guess the only possible solution is to enforce VLAN tagged from the device OS, and make all the ports/wifi Trunk with all the VLAN ID's added. Is that a good option? Should I add anything to restrict traffic between VLAN's like VACL, PACL or disable layer-3 traffic forwarding? What is the best practice here?
- Management VLAN: In the same scenario, the admins need to access to the management VLAN from any network port or wifi. Is the previous scenario a good approach?
- In terms of security effectiveness, I guess the only goal should be restrict te traffic between segments, but it is actually very easy to bypass these measures, since the "attacker", in case they have access to one machine or phishically to the network, can change the VLAN, MAC or IP of the device to gain access to other VLANS, right?
Thank you!
No comments:
Post a Comment