Isolating Network Ports for some functions but not others

[mda]

Hello all,

I'm trying to isolate some fairly exposed ports in a section of one of our buildings so we don't have someone randomly plug in a device and get full access to our networks.. I am currently experimenting with a DLink partially managed switch (DGS 1210 series), since I am totally unfamiliar with the higher end switches.

Here's the current situation:
1. Some physical ports are only intended to be used for a certain kind of device wherein data over several port numbers are needed.
2. For some less exposed physical ports I would like access to give these access to the internet but not to any of the company servers.

Questions on these:
A. Is there any way to block traffic in the switch to only allow traffic from a certain port? If not, what is the best way to limit access?
B. I suppose the best solution for this is to put these devices/ports on a separate VLAN. Am I correct? How should I configure the switch and our gateway (this is a Fortinet unit).?

Any help would be appreciated! Thanks!

 

[Vengance_01]

Correct VLANs is what you want. Then you would create a trunk port and allow all those vlans on your uplink port to your firewall if it's acting as your router/gateway. The only thing I am not sure on is tagged vs untagged. I will let someone else chime

 

[NeXuS1]

I can't speak to configuration of your specific hardware, but a simple separation would be separate VLANs on your switch. Then on the layer 3 device (router, firewall, etc) apply something like an access control to the interfaces that are define for each VLAN/subnet. I could give you examples for a Cisco network, but I've never worked with Fortinet. Sorry.

 

[mda]

Thanks for your replies. At least the direction is clearer now.

Our setup is very simple at present --

It is Fortinet (internet GW) --> Unmanaged switches --> Devices

The semi managed switch ideally goes between the Fortinet and the Unmanaged switches, with the exposed ports being grouped together on the unmanaged switch and plugs into one port of the managed switch for ease of management.

For the devices that I want to isolate, this should be fairly easy (I think?), I will just need to create a VLAN on the switch and group those ports together. What I don't know is how to configure the gateway to give it internet access.

For the devices that I want to isolate by only be able to communicate via only one port (lets say TCP port 1234) but accessible to the company network, I'm not exactly clear how this should work, since putting these ports on a separate VLAN may end up isolating it from the rest of the network?

 

[Cmustang87]

Hi mda,

I will go into this post with the assumption you have a decent understanding of what a VLAN does, but if not, here goes: VLANs are simply just like breaking a switch into pieces logically. So if you took a 24 port switch and created 2 VLANs on it with 12 ports in each VLAN, it would be like having 2 completely seperate 12 port switches. If you can grasp that, you are good to go.

With that said, your switch is only layer 2, which means that your VLANs cannot communicate with each other unless they go through a router. But that's what it sounds like you are wanting to do anyway, so goal achieved.

Now, tagging ports for VLANs gets tricky if you don't understand it. Basically you will want to create a tagged interface that connects to your Fortigate. Then on your Fortigate, you will need to create subinterfaces for each VLAN that is on the tagged interface from the switch.

Basically - you are going to have to carry multiple VLANs across a single link if you only want to connect to a single interface on your Fortigate (saving you ports on the switch and firewall). In order to do that, you have to tell the switch which VLAN each frame belongs to as it egresses the switch, otherwise it won't know which ports to send the return frames to.

If port 20 belongs to VLAN2, the switch knows that is not the default VLAN, so it will "tag" the Ethernet frame with some information that tells anything upstream that that frame belongs to VLAN2, so when the traffic returns, the switch knows to flood only VLAN2 frames on interfaces that belong to VLAN2. VLAN1 (the default VLAN) will not receive these floods or broadcasts.

You have another option where you can connect two interfaces to the Fortigate from the switch. In this example, you still have VLAN1 (default) and VLAN2 (servers, for example), but VLAN1 is only on ports 1-12 and VLAN2 is on ports 13-24. Each of these VLANs will now need their own unique IP network (layer 3) say, 192.168.1.0/24 and 192.168.2.0/24 respectively. So connect Port 1 of the switch (VLAN1) to an interface on the Fortigate, and configure that interface on the Fortigate to be on the same IP network (192.168.1.1/24), Then configure another interface on the Fortigate for 192.168.2.1/24 for VLAN2 and connect Port 13 from the switch to the Fortigate.

Now you have two seperate VLANs on the switch, which are firewalled between the two (they would still be firewalled in the tagged example above, but with a logical interface, rather than a physical). They will be incapable of communicating with each other, so long as they are on separate zones on your Fortigate. You can poke holes and create security rules to allow intrazone traffic to flow and other inspection services as you see fit.

Anyway, I hope this helps. Good luck.

 

[Cmustang87]

For the devices that I want to isolate, this should be fairly easy (I think?), I will just need to create a VLAN on the switch and group those ports together. What I don't know is how to configure the gateway to give it internet access.

For the devices that I want to isolate by only be able to communicate via only one port (lets say TCP port 1234) but accessible to the company network, I'm not exactly clear how this should work, since putting these ports on a separate VLAN may end up isolating it from the rest of the network?

1.) The gateway on each VLAN will be the interfaces on the Fortigate as the DLink switch cannot route traffic. Any device that is connected to the same VLAN belongs to the same broadcast domain.
2.) You can do this. You would need to create a rule on the Fortigate to permit TCP1234 from the isolated LAN to the company network, and you can do it as an "any any" rule (meaning, the Source IP and Destination IP can be anything) and it will be permitted as long as it is communicating using TCP port 1234. Just don't apply NAT to this policy.

 

[mda]

Thanks for all the information thus far. I didn't realize that managed switches could either be L2 or L3, thought they were all L3.

Will think about whether I would rather save some cash outright by going with this L2 switch or saving ports by doing this at an L3 layer.

In theory I think I understand now what I should do. I just need to actually go do it.

Thanks all!

 

[Cmustang87]

You are welcome, and good luck. Enjoy the time learning, even if you end up pulling your hair out in frustration because it's just not working.

Step away and come back 5-10 minutes later.

 

[Vengance_01]

Yup good luck. I will be going for my ccna this year. I have always been a system admin but on Hardware and admin side with a dedicated networking team. But with the it works changing, more skills the better. I am also in the process of learning Palo alto firewalls.

 

[Cmustang87]

Yup good luck. I will be going for my ccna this year. I have always been a system admin but on Hardware and admin side with a dedicated networking team. But with the it works changing, more skills the better. I am also in the process of learning Palo alto firewalls.

Palo Alto is an awesome product. They just released a new family line. Let me know if you have any questions in the CCNA track or Palo Alto.

 

[Red Squirrel]

Yep vlans is what you want. At the switch you assign it the ports to the vlan you create for this purpose. So anything that is plugged in will be on that vlan. You can think of a vlan as a virtual separate switch, in simple terms. From swtich to firewall you set it as a trunk port and at the firewall you setup individual interface ports for each vlan. From there you can setup rules for what each one can/can't access. It's what I do at home for various things including wireless. Personally I'm a fan of simple L2 switches and having the firewall manage all the routing rules. But I can see in very large environments where L3 switches may be good to have as it reduces overall traffic going to and from the firewall.

 

[Dead Parrot]

If the list of approved devices is fairly small, you could use reserved IP addresses via DHCP and use standard firewall/routing rules to control access to internal resources. For all unapproved devices, assign a IP address from a range that is NOT allowed to see the internal network but is allow to the outside world. A knowledgeable hacker can spoof the MAC address but would still have to get through what ever physical security your site has.

 

[Red Squirrel]

If the list of approved devices is fairly small, you could use reserved IP addresses via DHCP and use standard firewall/routing rules to control access to internal resources. For all unapproved devices, assign a IP address from a range that is NOT allowed to see the internal network but is allow to the outside world. A knowledgeable hacker can spoof the MAC address but would still have to get through what ever physical security your site has.

Keep in mind that someone could also set a static IP to be in the proper range, but this could still be viable at least as a basic security layer.

 

[mda]

Thanks all.

I've been going through the contents of this switch and it seems I can indeed manage traffic on a somewhat IP level. No routing but only allow/deny.

This interface though is straight out of the early 2000s and is full of typos (not to mention, the UI is clunky at best). You'd assume more expensive switches would actually have people checking the UIs before these are rolled out into production...

Am currently testing some other scenarios since I have a pair of them, hopefully these can do what I need. L3 switches with the same number of ports are probably 2-3x the cost of these.

 

[Dead Parrot]

Keep in mind that someone could also set a static IP to be in the proper range, but this could still be viable at least as a basic security layer.

Yep, the problem with "off the cuff" answers. One problem I see with the VLAN approach is any device plugged in gets the rights/limitations of the VLAN. Probably want a combo approach of both VLAN and DHCP restrictions.

If the ports in question are not used that often, might consider just turning the ports off at the switch level when they are not in use.

 

[Cmustang87]

/SNIP
L3 switches with the same number of ports are probably 2-3x the cost of these.

Packet processing is much more software/hardware demanding than making decisions for frames.

 

[mda]

It seems that by playing around with these switches, I can also get what I need done by playing around with the ACL settings instead of using VLANs. However it seems using a combination of both will be the best.

 

[Cmustang87]

You would be over complicating it going that route. I would not recommend it.

Industry standard architecture is to use L2 segmentation (VLANs) to logically separate your networks.