Background: I'm working on upgrading a campus network from Cisco to Juniper and we are looking to increase the segmentation between VLANs to reduce the risk/impact of ransomware and the like. There are business buildings, some residential buildings, as well as guest VLANs. The residential and guest networks were already segmented with Cisco access lists that we converted to Juniper firewall filters. Each of the business buildings has a set of vlans for general data (PCs, printers, etc), IP surveillance, VOIP, and network management. We should be able to set each of these VLANs to be able to talk to the server VLAN and the internet, then block other traffic. VOIP will need to talk to other VOIP vlans, and I think I know how open up just the needed ports for that.
My main question is: How do I allow IT staff to connect to all of the VLANs for troubleshooting? I've setup an IT office vlan and can allow that to communicate with all of the VLANs, but if an IT person with a laptop is connected to the general data VLAN of a building, how can they connect to the IP surveillance VLAN of that building to work on a camera? There is a Windows RRAS VPN setup which does allow business devices on the residential network to connect to the business network and bypass the internal ACL/firewall filter (this is all within the same campus network). I thought if I could get that server to put general business devices on one VLAN and IT Laptops on another VLAN, that would work. But best I can tell, RRAS can't do that.
Is there a self hosted VPN server that can put different groups of clients on different VLANs? Or a VPN server that can easily run multiple instances with multiple network adapters to the same effect? The servers run on Vmware. Or is there a better way to go about this problem in general.
No comments:
Post a Comment