I have created a VLAN for printers, however to allow visibility to this printer I have activated the inter-VLAN option.
I wonder what risks are envolved with this technique. Can someone explain how interVLAN Works and what risks are there?
Thanks
Any risks of inter VLAN routing will depend on the purpose of using VLANs in the first place.
I have a VLAN for my IoT devices at home - with inter vlan routing disabled so that if one of those devices gets compromised it will be harder for the attacker to get to other devices (on other vlans) on my network.
If you need to turn on inter vlan routing to enable communication between vlans then you are using VLANs for organisation rather than security surely? If not what so you hope to achieve by using VLANs for printers?
If you really want to isolate the printer VLAN from the core data network, the lazy way to do that would be to treat it as an untrusted network and put the printer VLAN on a spare WAN port on your balance with NAT enabled. That way your data network can access your printers easily but NAT will block any attempt for devices on your printer VLAN from arbitrarily accessing devices on your data network.
The more involved way would be to set up firewall rules to block all network traffic to the printers apart from the ports needed for the activity for printing. I say more involved because different network printers use different ports for different types of services (ie network scanning on multi-function devices) so it needs more thought.
1 Like
Hi there Martin and thanks for answering!
More details:
In our school only trusted (school) computers on the core LAN are allowed to use printers and all teachers personal devices are on a separate untrusted VLAN. In this scenario, teachers are not allowed to print from their personal devices.
core LAN: 192.168.8.0 - Server, shares, school trusted computers, printers
VLAN ID 100 (10.0.100.0) - Staff personal devices (untrusted) - Internet only
VLAN ID 200 (10.0.200.0) - Guest (students) untrusted devices - Internet only
Now we would like to allow teachers to print also from personal untrusted devices on VLAN 100, and this works moving the printers on a VLAN made on purpose only for printer sharing:
VLAN ID 300 (172.16.0.0) - Shared printers (accessible through core and VLAN 100, Inter-VLAN routing required)
Adding VLAN 300 will allow printing from bot core LAN and VLAN 100, however this requires inter VLAN routing and I wonder if computers on the core LAN are at risk from attacks coming staff VLAN 100.
In a word, can malicious requests originated from the staff VLAN 100, hit the core network, passing though the printer VLAN?
Ah got it. OK. So you would enable inter vlan routing on the teacher and printer vlans and add an internal firewall rule that blocks/denys any traffic from the teacher VLAN from accessing the core lan and vice versa,
Honestly Iâd still be tempted to use a spare WAN if you have one to put the Printer Subnet on. That way if a printer (or another device maliciously connected to the printers VLAN) gets compromised then NAT on the WAN would protect your core network from it. You could also disable inter VLAN routing on the teacher network too,
When I was at school, the printer network segment was always the easiest one to compromise, simply by unplugging the ethernet cable of the printer and popping a switch inline I could then get unfiltered access to the internet and I could access unprotected shares on the core servers. And guess where the asmin kept his password.doc file? 
5 Likes
Great Martin!
If creating a rule in the firewall to block any traffic from teachers
network twill guarantee protecting the core LAN, how could someone gain
access from the printers network? BTW, this can happen plugging in a
computer from a socket connected to the core LAN anywayâŚ
Youâre right I missed some required rules there:
You want:
core LAN: 192.168.8.0 - Server, shares, school trusted computers - Internet & Printer access
VLAN ID 100 (10.0.100.0) [Inter VLAN Enabled] - Staff personal devices (untrusted) - Internet & Printer access
VLAN ID 200 (10.0.200.0) [Inter VLAN Disabled]- Guest (students) untrusted devices - Internet access only
VLAN ID 300 (172.16.0.0) [Inter VLAN Enabled] - Shared printers - No Internet Access
So the firewall Rules you need are:
Deny Printer VLAN to Internet - so students canât bypass internet filtering by plugging devices into printer ports.
Deny Staff VLAN from Core - So untrusted Teacher devices canât access core network resources.
Job Done.
I still like the idea of Printers on a WAN port. Since if a student connected a device to a printer LAN port and worked out what VLAN ID they needed to use, they would have access to the core network devices.
You could of course work out what ports are needed for printing to the network printers then block everything else outbound between the core network and the printer VLAN. That way a student connecting to the Printer VLAN would be heavily restricted as to what they could access on the core network. If you create a firewall rule for outbound access from core to the printer network that is an allow rule and turn on event logging.youâll quickly see what ports are needed.
As an aside - you could consider putting the core network into a VLAN too (eg VLAN 8), then enable captive portal on the untagged network and redirect to an internally hosted redirect page that captures the MAC addresses of the devices it sees and the time it sees them. It could be a honey pot of sorts where you could then detect if a new device is connected to a switch port somewhere (since most people will try connecting first without using a VLAN ID) and potentially track down the owner of the device and put them in detention. 
2 Likes
Thatâs exactly how I configured the 4 networks settings! Plus, I have added
an extra rule for internal firewalling to block traffic from VLAN 100 & 200
to the core network (although no traffic is allowed from VLAN 200, as for inter-VLAN disabled)
Now 2 questions:
-
What you mean by connecting the printers to a WAN? Theyâre meant to
local traffic only⌠Am I missing something? -
Of course plugging a device into the printers VLAN would allow routing
requests to the core network, however core network devices should ignore
traffic coming from other ip class⌠unless some spoofing technique is
used by the attacker⌠The school is a middle school, I bet this would be
a greater risk in a high school⌠Is there a way to protect the core
network from unwanted requests?
A âWANâ port on a Peplink device is the only type of port that supports outbound NAT (ie traffic routed from LAN to WAN is NATted). Sometimes its a useful thing to treat an internal network segment as untrusted (like you would a typical internet/ WAN interface). I frequently use WAN ports to connect to untrusted internal networks (like an internal DMZ).
Your printer VLAN is a great example of this type of untrusted LAN segment where you want to allow traffic out to the printers, but you donât want traffic to easily route back from the printer VLAN. NAT on the WAN is an easy way to restrict inbound traffic as only those ports that are forwarded on to other internal networks can be used.
Not true. Devices on the Core network will respond to traffic from another subnet if routed correctly. Since inter VLAN routing is enabled on VLAN 300 - the printer VLAN. Any device connected to VLAN 300 can route network traffic from it to any device on the Core (untagged) Network by default unless you block that with firewall rules.
.
3 Likes
Martin you are a great teacher, as well as being a great professional!
Our Balance One has currently two spare WAN ports as we upgraded license to
5 WAN. In this case how should I plug cables and how would I configure the
printers fake WAN?
To make it easier couldnât I create a rule in the firewall to enable
traffic routing only by printers mac address? Of course this could be
hacked by mac address spoofing, however as this is a middle school I
currently canât see any real risk on this.
Youâre very kind.
If you want to use a WAN port (which doesnât support the DHCP server function), you would statically assign its IP in the private subnet range for the shared printers (eg 172.16.254.254) and then statically assign all the printers IPs too (and not enter a Gateway IP for them). Then you want to block the student VLAN from the printers so you could add a firewall rule to do that. From a cabling perspective the WAn would just plug into your managed switch, with either the VLAN ID set on the Balance WAN or the switch port its connected to set as a access port for that VLAN.
On consideration, keeping the printers in a LAN side VLAN is more of a standard approach and likely to be less confusing to any staff that need to work on the network in the future. The idea above (quoted below) to work out what ports you need to allow and then blocking everything else is the most secure approach to limit any misuse of the printer VLAN.
Yes you could create rules for each printer MAC address but I suspect that youâll get bored of typing in all those MAC addresses and I wouldnât want to in a school environment as being able to quickly swap out a printer that has been abused by students and teachers alike for another one wouldnât require firewall rule changes if you just filter by ports instead of by MAC address.
3 Likes
Thanks for you patience and knowledge
2 Likes
Hi @MartinLangmaid! Back on this topic! As I wrote in the past, as our scenario is quite safe, I have personally stick to Inter-VLAN routing + firewall rules, without restricting ports.
Now, Iâll take all this a step further as a new MFP was recently bought, bringing in new concepts as printer user control and printing page limits. The MFP allows managing users through Active Directory, simplifying authentication to the MFP itself, however this requires communication to the Domain Controller. This is already possible right now, as for the following firewall rules:
But to keep things safe, I am thinking about your suggestion restricting access also by port number, as the listed MAC address are allowed to communicate to core LAN and a computer with a spoofed MAC address may target any machine on core LAN. Discovery of ports being used has begun, I have enabled logging in the firewall rules, but thereâs no trace of ports being used.
Are the enclosed firewall rules correct?
Hard to tell with the redaction. You could try the other way, block all traffic between segment with AD server and the MF printer then see what access is requested by looking at the access requests that get logged and denied.
2 Likes
@MartinLangmaid, I have created a rule to allow traffic from core network to printers segment (this was already allowed, however as the rule enables logging, now all access to printers is logged showing used ports!).
For now I have logged access to ports 80 (HTTP)161 (SNMP) and 5358 (WSD)âŚwhat rule could I enforce to block traffic from printers segment 172.16.0.0 to core segment not being âgeneratedâ by those ports?
Usually traffic originates from core segment to printer segment (dest. ports 80,161,5358) but in case of attack, traffic is originated from printer segment to core⌠does the firewall ignores where the traffic is originated?
Would a rule âblock all traffic from printers segmentâ plus another higher rule âallow traffic from core to printers segment with restriction to ports 80,161 & 5358â do the trick? Would mean 3 rules for each segment that requires inter-VLAN communication to printers (9 rules) but if this would protect core I could go for it. Of course an attacker could attempt to communicate through those allowed ports⌠but what this could bring to?
The default rule should be a deny rule. Than define the ports necessary for the printers to talk to AD/print server. Google for âports for windows printingâ, add the rules and (like Martin says) look what is getting blocked.
2 Likes