1

I am very new to "networking" and security, but I realize that it would be more secure to have printers on their own "isolated network".

I am unsure what the correct or what a good structure is for creating an "isolated network". Wondering if it means essentially this (for a home-based system):

  1. Create a second account with some ISP, or perhaps just ask for some separate thingy on the existing account.
  2. Buy a second router.
  3. Disable internet access for this router, so it only functions as a local wifi system. Or maybe the printers don't need wifi and can use ethernet instead.
  4. Connect a laptop to the network somehow, so it can send its print jobs to the printer.

I can see a few holes in that so far, and it seems incomplete. I'm wondering what the typical system is for making a secure isolated network such as for these printers, which you can still send commands to only from specific places (like from a laptop or phone).

Lance
  • 588
  • 5
  • 16
  • Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/87787/discussion-on-question-by-lance-pollard-secure-architecture-for-isolated-printer). – Rory Alsop Jan 03 '19 at 12:32

1 Answers1

3

Ideally, printers are to be seperated from their clients (and the internet) as much as possible.

There seems to be some kind of confusion on your side between categories of network devices. I'm assuming you're coming from a COTS standpoint which usually means that a device called "Router" does carry the jobs of "Router", "Firewall", "Switch", "WiFi Access Point", "Gateway" and "NAT", which might lead to the confusion.

A network architecture that can provide this might in it's simplest possible layout (which can easily be more complicated when deploying microsegmentation between clients and/or printers for example) look like this:

[Clients -> (Firewall] -> {Print Server) -> Printers}

where 

[] = the network connection between the clients and your Firewall,
() = the network connection between the print server and your Firewall,
{} = the (network?) connection between the Print Server and your Printer(s)

Now, the connection between the print server and the Printer(s) doesn't need to be networked. The printers could just be locally connected to the print server, for example by USB or LPT.

Also worth noting is that this setup is minimal for this case; usually, there are different subnets of clients that need different printer access which leads to vastly more complicated setups that do seperate networks even further, using more Firewalls, Gateways and Print Servers.

Please also note that none of this includes internet access thus far. In this setup, internet might be provided through the Firewall (over a seperate network connection) and access rules on the firewall would prohibit internet access for the print server.

Additionally, COTS "Router" devices usually do not provide all features of actual Firewalls, making this setup hard to achieve with it - and you usually do not. One notable exception are COTS Routers that offer a USB Port to connect a printer to in which case the device itself functions as the print server.

Lastly, please note that the threat model for private households and companies vastly differ and this setup might not be suitable for home deployment.

Tobi Nary
  • 14,302
  • 8
  • 43
  • 58