0

I saw a network setup recently that looked like the following:

enter image description here

The ISP provides two static public IPs on a specific VLAN and one is used for an internet network and the other for a server exposed to the Internet.

They wanted the server to have access to the internal network as well but without depending on the internal router - to avoid downtime due to internal network maintenance etc.

What they did was to use a Switch after the ISP ONT (Optical Network Terminal) that passes VLAN 101 to the router WAN port and to the server port as well. Then they connected one of the router's LAN ports to the Switch so it can tag all the traffic and make it available on the server port as well.

Questions:

1) Is this setup secure? How likely is for someone on the Internet to be able to access their internal network? Maybe using some kind of VLAN hopping attack? What about the ISP?;

2) The switch is a GS105Ev2. Can it really isolate the networks?

I know that the server can be hacked via its public IP and someone might use it to access the internal network, but le'ts assume that's not possible and strictly focus on the security implications of having a public and private network on the same cable and a setup like that.

TCB13
  • 217
  • 3
  • 7

1 Answers1

2

Is this setup secure?

That's a matter of opinion and requirements - I'd vote no since I require an independent firewall in front of every publicly connected or mapped host. The VLAN-hopping attack vector is real, but not all too relevant since it's only your ISP that can attack here. The zero trust approach requires you to distrust them all the same and put a decent filter in between.

Can it really isolate the networks?

Correctly configured, VLANs very reliable and securely isolate networks. Correspondingly, a switch connected to the VLAN must not have any IP binding in untrusted VLANs. Better still, they should have an IP binding to the management VLAN only.

For a secure setup I'd also suggest moving any host with exposed services to a DMZ VLAN. At best, no connection from the DMZ to the internal LAN is to be permitted, only in reverse from LAN to DMZ. If you don't want to make any performance compromises or spend a fortune on a high-performance firewall, you could use a layer-3 switch: use ACLs that permit defined services only (e.g. from DMZ server IP TCP port 443 to LAN client IP ephemeral ports).

Zac67
  • 386
  • 2
  • 8
  • Thank you for the answer. Unfortunately in GS105Ev2 the Switch management interface is exposed to all VLANs - there's no way to set the management interface VLAN ID. This further corroborates your opinion that the ISP can hack them / reconfigure the Switch remotely to access their internal network. – TCB13 Feb 12 '22 at 10:30
  • If you remove the switch's IP address within a VLAN there's no way to access the management interface. – Zac67 Feb 12 '22 at 10:40
  • What do you mean by "remove"? – TCB13 Feb 20 '22 at 18:03
  • If there is an address, remove it. If there isn't, leave it that way. – Zac67 Feb 20 '22 at 18:05
  • GS105Ev2 exposes the management interface in all VLANs with a static IP (configured that way). Any computer connected to one of those VLANs that knows the Switch IP range access the UI. – TCB13 Feb 20 '22 at 18:11
  • Duh - that's near criminal... – Zac67 Feb 20 '22 at 19:33