So I believe it's common practice to group and isolate devices on separate lan/vlans according to function - printers, voip, workplace PCs, gateway servers.
This means that a printer can't ping or ssh to a general purpose PC because the lan/vlan broadcast domains are isolated, and packets must route through iptables (or whatever firewall is in place) policies and exceptions on the router.
But why not carry isolation one step further? So that if one printer is compromised it cannot communicate with another printer? Or if one PC is compromised it cannot do a port-scan and discover other open ports on PCs on the same vlan?
I find it difficult to understand that performance is the reason to avoid this step given that hardware/asics are used for layer 3 switches to do inter vlan routing.
Also, I suspect the majority of traffic already requires routing - because it's between different device classes - eg. voip to voip server, or pc to samba or external gateway - or between different switches - rather than just being switched? So, how much extra overhead is there?
No comments:
Post a Comment