Is inter-VLAN safe?


#1

I have created a VLAN for printers, however to allow visibility to this printer I have activated the inter-VLAN option.

I wonder what risks are envolved with this technique. Can someone explain how interVLAN Works and what risks are there?

Thanks


#2

For example I see thae VLAN Hopping may be used as an attacking technique


#3

Any risks of inter VLAN routing will depend on the purpose of using VLANs in the first place.

I have a VLAN for my IoT devices at home - with inter vlan routing disabled so that if one of those devices gets compromised it will be harder for the attacker to get to other devices (on other vlans) on my network.

If you need to turn on inter vlan routing to enable communication between vlans then you are using VLANs for organisation rather than security surely? If not what so you hope to achieve by using VLANs for printers?

If you really want to isolate the printer VLAN from the core data network, the lazy way to do that would be to treat it as an untrusted network and put the printer VLAN on a spare WAN port on your balance with NAT enabled. That way your data network can access your printers easily but NAT will block any attempt for devices on your printer VLAN from arbitrarily accessing devices on your data network.

The more involved way would be to set up firewall rules to block all network traffic to the printers apart from the ports needed for the activity for printing. I say more involved because different network printers use different ports for different types of services (ie network scanning on multi-function devices) so it needs more thought.


#4

Hi there Martin and thanks for answering!

More details:

In our school only trusted (school) computers on the core LAN are allowed to use printers and all teachers personal devices are on a separate untrusted VLAN. In this scenario, teachers are not allowed to print from their personal devices.

core LAN: 192.168.8.0 - Server, shares, school trusted computers, printers
VLAN ID 100 (10.0.100.0) - Staff personal devices (untrusted) - Internet only
VLAN ID 200 (10.0.200.0) - Guest (students) untrusted devices - Internet only

Now we would like to allow teachers to print also from personal untrusted devices on VLAN 100, and this works moving the printers on a VLAN made on purpose only for printer sharing:

VLAN ID 300 (172.16.0.0) - Shared printers (accessible through core and VLAN 100, Inter-VLAN routing required)

Adding VLAN 300 will allow printing from bot core LAN and VLAN 100, however this requires inter VLAN routing and I wonder if computers on the core LAN are at risk from attacks coming staff VLAN 100.

In a word, can malicious requests originated from the staff VLAN 100, hit the core network, passing though the printer VLAN?


#5

Ah got it. OK. So you would enable inter vlan routing on the teacher and printer vlans and add an internal firewall rule that blocks/denys any traffic from the teacher VLAN from accessing the core lan and vice versa,

Honestly I’d still be tempted to use a spare WAN if you have one to put the Printer Subnet on. That way if a printer (or another device maliciously connected to the printers VLAN) gets compromised then NAT on the WAN would protect your core network from it. You could also disable inter VLAN routing on the teacher network too,

When I was at school, the printer network segment was always the easiest one to compromise, simply by unplugging the ethernet cable of the printer and popping a switch inline I could then get unfiltered access to the internet and I could access unprotected shares on the core servers. And guess where the asmin kept his password.doc file? :smiley:


#6

Great Martin!
If creating a rule in the firewall to block any traffic from teachers
network twill guarantee protecting the core LAN, how could someone gain
access from the printers network? BTW, this can happen plugging in a
computer from a socket connected to the core LAN anyway…


#7

You’re right I missed some required rules there:
You want:
core LAN: 192.168.8.0 - Server, shares, school trusted computers - Internet & Printer access
VLAN ID 100 (10.0.100.0) [Inter VLAN Enabled] - Staff personal devices (untrusted) - Internet & Printer access
VLAN ID 200 (10.0.200.0) [Inter VLAN Disabled]- Guest (students) untrusted devices - Internet access only
VLAN ID 300 (172.16.0.0) [Inter VLAN Enabled] - Shared printers - No Internet Access

So the firewall Rules you need are:
Deny Printer VLAN to Internet - so students can’t bypass internet filtering by plugging devices into printer ports.
Deny Staff VLAN from Core - So untrusted Teacher devices can’t access core network resources.

Job Done.

I still like the idea of Printers on a WAN port. Since if a student connected a device to a printer LAN port and worked out what VLAN ID they needed to use, they would have access to the core network devices.

You could of course work out what ports are needed for printing to the network printers then block everything else outbound between the core network and the printer VLAN. That way a student connecting to the Printer VLAN would be heavily restricted as to what they could access on the core network. If you create a firewall rule for outbound access from core to the printer network that is an allow rule and turn on event logging.you’ll quickly see what ports are needed.

As an aside - you could consider putting the core network into a VLAN too (eg VLAN 8), then enable captive portal on the untagged network and redirect to an internally hosted redirect page that captures the MAC addresses of the devices it sees and the time it sees them. It could be a honey pot of sorts where you could then detect if a new device is connected to a switch port somewhere (since most people will try connecting first without using a VLAN ID) and potentially track down the owner of the device and put them in detention. :slight_smile:


#8

That’s exactly how I configured the 4 networks settings! Plus, I have added
an extra rule for internal firewalling to block traffic from VLAN 100 & 200
to the core network (although no traffic is allowed from VLAN 200, as for inter-VLAN disabled)

Now 2 questions:

  1. What you mean by connecting the printers to a WAN? They’re meant to
    local traffic only… Am I missing something?

  2. Of course plugging a device into the printers VLAN would allow routing
    requests to the core network, however core network devices should ignore
    traffic coming from other ip class… unless some spoofing technique is
    used by the attacker… The school is a middle school, I bet this would be
    a greater risk in a high school… Is there a way to protect the core
    network from unwanted requests?


#9

A ‘WAN’ port on a Peplink device is the only type of port that supports outbound NAT (ie traffic routed from LAN to WAN is NATted). Sometimes its a useful thing to treat an internal network segment as untrusted (like you would a typical internet/ WAN interface). I frequently use WAN ports to connect to untrusted internal networks (like an internal DMZ).

Your printer VLAN is a great example of this type of untrusted LAN segment where you want to allow traffic out to the printers, but you don’t want traffic to easily route back from the printer VLAN. NAT on the WAN is an easy way to restrict inbound traffic as only those ports that are forwarded on to other internal networks can be used.

Not true. Devices on the Core network will respond to traffic from another subnet if routed correctly. Since inter VLAN routing is enabled on VLAN 300 - the printer VLAN. Any device connected to VLAN 300 can route network traffic from it to any device on the Core (untagged) Network by default unless you block that with firewall rules.

.


#10

Martin you are a great teacher, as well as being a great professional!

Our Balance One has currently two spare WAN ports as we upgraded license to
5 WAN. In this case how should I plug cables and how would I configure the
printers fake WAN?

To make it easier couldn’t I create a rule in the firewall to enable
traffic routing only by printers mac address? Of course this could be
hacked by mac address spoofing, however as this is a middle school I
currently can’t see any real risk on this.


#11

You’re very kind.

If you want to use a WAN port (which doesn’t support the DHCP server function), you would statically assign its IP in the private subnet range for the shared printers (eg 172.16.254.254) and then statically assign all the printers IPs too (and not enter a Gateway IP for them). Then you want to block the student VLAN from the printers so you could add a firewall rule to do that. From a cabling perspective the WAn would just plug into your managed switch, with either the VLAN ID set on the Balance WAN or the switch port its connected to set as a access port for that VLAN.

On consideration, keeping the printers in a LAN side VLAN is more of a standard approach and likely to be less confusing to any staff that need to work on the network in the future. The idea above (quoted below) to work out what ports you need to allow and then blocking everything else is the most secure approach to limit any misuse of the printer VLAN.

Yes you could create rules for each printer MAC address but I suspect that you’ll get bored of typing in all those MAC addresses and I wouldn’t want to in a school environment as being able to quickly swap out a printer that has been abused by students and teachers alike for another one wouldn’t require firewall rule changes if you just filter by ports instead of by MAC address.


#12

Thanks for you patience and knowledge