0

I need to add some more ethernet devices to my network. I'd like to keep the current router and the only possibility to add more interfaces would be USB ethernet / PCI ethernet adapters. I could also use a network switch instead and connect it to one of the current router ports and easily get a lot of new interfaces.

But I was wondering if one setup would be less secure than the other one. It breaks down to the configuration I guess. The router does normal NAT'ing and each port currently provides a different network. My goal is to isolate the different connected devices so they can't communicate with each other. A dumb switch wouldn't do any good while managed switches provide some isolation as far as I know but I don't know if it comes close to the one provided by a router. If I go for the router and switch setup is there also anything I need to change on the router side?

Tom K.
  • 7,913
  • 3
  • 30
  • 53
some12
  • 1
  • If your goal is simply to prevent host-to-host communication, then this is not a security question at all. It becomes a VLAN and routing question. – schroeder Nov 28 '18 at 12:00
  • Secure against the usual network attacks, malware spreading from A to B. Enumeration of devices on the network, general reconnaissance. A device on the network should never see any traffic from another device or even get the slightest hint that another device is present. In case of just using the router it breaks down to the routers firewall/network configuration. In case of my intended setup I don't know if it by design will be less "secure" than just using a router or if it will make some attacks easier. I don't need to protect against physical attacks. – some12 Nov 28 '18 at 12:11
  • Right, so your goal is to prevent host-to-host traffic. Either solution would work depending on the device's capabilities for VLANs. – schroeder Nov 28 '18 at 13:04

1 Answers1

1

A managed switch configured to use VLANs is the proper way to do this. In principle the security you get from the isolation implemented on the router and the isolation implemented by a managed switch is the same.

Of course security vulnerabilities can exist in the products you choose to use. So in practice there can be differences in security between the two approaches. But those differences will be due to security bugs and not inherent issues associated with either approach.

There is a good chance the isolation implemented by the router is in fact done by a VLAN capable switch chip in the router. This answer has a nice diagram of what the internals of typical consumer routers look like.

Some managed switches have a VLAN mode specifically intended for the usage case you describe. See for example this question about VLAN on TP-Link switches.

But even if the switch doesn't have this feature you can expect every decent managed switch to support tagged VLANs which can be configured to achieve the same effect. One potential obstacle to look out for is whether your router supports the configuration of VLANs to achieve the desired isolation. That is something you can verify before purchasing a managed switch.

kasperd
  • 5,402
  • 1
  • 19
  • 38