0

We have so many devices (IoT and wintel, macs, androids, ios) spread across a few VLANs. Worried about any one device getting affected (e.g. Ransomware) and potentially infecting all other devices on the VLAN. Do you see this as a problem too? Any solution recommendation? Data centers are deploying micro-segmentation. Why not for campus?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Ricky
  • 3
  • 3
  • 1
    There are a lot of assumptions made in your question. And I'm not sure what you are asking. You segment in order to contain problems, so yes, segmentation helps to contain ransomware. Why do you think that campuses do not use micro-segmentation? – schroeder Apr 06 '19 at 20:50
  • The segmentation in campuses (via VLANs) aren't effective since we have 1000s of devices in a single VLAN which allows free flow communication between those devices. Any of the infected device can potentially infect the entire VLAN, no? I am not aware of any solution that allows for granular segmentation (beyond VLANs). – Ricky Apr 06 '19 at 22:36
  • @Ricky: It is possible to do some granular segmentation with software defined networks and do some crude segmentation even without. The question is what exactly do you want to separate. The ability that no machine can talk to the other but still can go to the internet is probably mostly easy to do. But to limit who can talk to the other one with which protocol at which time with which bandwidth .. is way more complex - less from the ability to do the actual separation but from who manages all the necessary separations in a dynamic network environment like a campus. And who pays for it. – Steffen Ullrich Apr 07 '19 at 06:34
  • I prefer whitelist approach. Even if some devices need to communicate with each other, I suppose it would be limited applications/ports - unlike data centers. If this approach protects the LAN environment, then the investment may come from the security budget. – Ricky Apr 07 '19 at 23:45

1 Answers1

0

Assuming that in many/all cases there's no requirement for individual wireless clients to communicate with each other (i.e. they only need to communicate with server devices and Ineternet sites), one option to consider for this would be Wireless Client Isolation.

This is a feature provided by some (generally more enterprise) wireless networking setups which stops clients from talking to other devices on the same VLAN apart from their default Gateway. For example this document from Cisco describes their approach.

That would work to prevent clients infecting other devices on the VLAN. Past that you'd need to make use of standard firewalling to ensure that clients could only get to approved local server serivces and out onto the Internet, and then ensure that your servers are well patched/protected, so that if ransomware does get onto the campus you're limiting what it can affect.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
  • Yes, I noticed this feature even in my ASUS router. But its all or none option and only works for wireless devices. – Ricky Apr 07 '19 at 23:43
  • sure it's limited but it's a good part of the control environment where possible. There's not going to be a silver bullet solution for this issue, it'll be setting up a series of controls to reduce the risk. – Rory McCune Apr 08 '19 at 08:56
  • I agree. I just wish there was a micro-segmentation solution for Campuses to reduce the attack footprint by miles. In the meantime, we'd continue to protect the traditional way. Cheers! – Ricky Apr 08 '19 at 22:06