Networks isolation.

[mefizto]

Greetings all,

I am building a pf firewall intended to protect two networks. The firewall is envisioned to have three interfaces with the following requirements:

1. ExtIf - interfacing with the Internet;
2. IntIf0 - interfacing via a router with a first network. This network is trusted in the sense that all the devices on the network should be allowed to communicate with one another and, when appropriate, with the Internet; and
3. IntIf1 - interfacing via another router with a second network. This network is untrusted in the sense that devices on this network should be allowed to access the Internet, but not any of the devices on the first network, perhaps with the exception of a printer if this will not cause any security issues vis-a-vis other devices on the first network.

It is foreseen that the devices on the second network will be workstations of guests. It would be desirable that the firewall configuration is transparent to the guests, i.e., not requiring any configuration on their workstations.

Is this a firewall based issue, i.e., can I achieve the goals by proper rules at the pf firewall or is it networking issue that needs to be solved by other means than firewall? Can you please point me to a correct solution?

Kindest regards,

M

 

[honk]

I vote for the firewall. If you are paranoid, then isolate the printer in a separate network (e.g. a separate VLAN).

 

[SirDice]

I vote for the firewall.

I'll second that.

If you are paranoid, then isolate the printer in a separate network (e.g. a separate VLAN).

No. VLANs are to improve network performance, they are NOT a security measure.

 

[mefizto]

Gentlemen,

Thank you for the replies. Can you please point in the right direction; i.e., is it as simple as denying, on IntIf0, any packet originating from IntIf1 except packets destined to the printer?

Kindest regards,

M

 

[honk]

No. VLANs are to improve network performance, they are NOT a security measure.

Should we create a thread for further discussions about VLAN security?

If I had to decide between having the printer in my internal network or in a (third) dedicated VLAN, my decission would be the dedicated VLAN, for security reasons. But I guess mefizto isn't building a firewall for Fort Knox.

Can you please point in the right direction; i.e., is it as simple as denying, on IntIf0, any packet originating from IntIf1 except packets destined to the printer?

A rule of thumb is to do whitelisting. This means your ruleset will deny everything by default and only allow explicit what you want. Simple example in pseudo-code to illustrate this:

1. Allow from xx.xx.xx.xx/xx on $IntIf0 to any on $ExtIf
2. Allow from yy.yy.yy.yy/yy on $IntIf1 to any on $ExtIf
3. Allow from yy.yy.yy.yy/yy on $IntIf1 to $IP_Printer on $IntIf0 proto tcp port 515
4. Deny from any to any

If you bind the rules to the interfaces (and not only on the IP-addresses) you avoid unwanted traffic from your untrusted guest network to the internal trusted network (as this would match for any destination also).

 

[mefizto]

honk,

thank you for the reply. I have only three interfaces, which drove my network design. And, yes, I am not building firewall for Fort Knox; :e , the untrusted users are not deemed to be people whom I would suspect of doing intentional damage to the trusted network, I am just trying to protect myself from unintentional error.

Can you, for my education, briefly discuss how putting the printer on a different VLAN would improve security? In my naive view I still need to protect that interface, so I do not see any advantage.

If I read the rules correctly, they are doing what I suggested. I understand that the rules are pseudo code, but should the last rule:

Deny from any to any

not be the first?

Kindest regards,

M

 

[aragon]

Given the OP's description of IntIf0 and IntIf1, I don't see sufficient motivation for creating a VLAN dedicated to the printer. Stick it in IntIf0's network and restrict access to it from IntIf1.

The only potential security hazard is if the printer can be exploited some way, giving IntIf1's network full access to IntIf0's. Then again, the printer could instead be placed in IntIf1's network to mitigate that risk.