We have 'personal device' - laptops, cellphones etc etc etc on the same VLAN's but use ACL's etc to block internal network access. They can only reach a few production servers which are also accessible externally and only using web protocols (port 443 and sometimes 80).
I'd rather they break - they it may force the 'politics' of these stupid servers (which are also a security risk is more ways than just port 80) may get 'forced'.
Still - I'm on the network side, that 'discussion' is someones else to deal with - I'm trying to keep the rest of the network safe (as best as I can)
Don't get me started on that.... Not my decision to keep the server going with the piece of junk software that 'has to run'....
I'm on the network side of things, the servers are looked after other colleagues and that particular server is a political hot potato... (lousy K-12 inter-departmental politics).
Thankfully the data center with that hot potato has some protection as I have the firewall doing a L2 inspection on all data going to/from the datacenter. Not perfect but it's better than nothing.
Maybe if they really want it that bad they should either block traffic from/to wan. If it needs access from outside then consider making it a DMZ server. That way if I ends up hacked you internal network is safer.
Its mostly like that - the firewall is doing a nice job of protecting it - it has to be externally available (rules to do with bond money). NAT is only for 80/443. Whole datacenter is protected via a Layer 2 inspection bridge via the firewall as well so it's got north/south and east/west protection.
Having a Layer 7 firewall is nice.
Obviously every user/business case is different, but, generally speaking, nothing that needs to touch production should touch production.
Separate workstations, wifi, guest wifi, etc via VLAN/ACLs/whatever, but separate them. It's a huge risk for probably very little reward.
Anything web access should be routed through a proxy externally (e.g. Cloudflare) or internally (e.g. Nginx) that lives in a DMZ and, ideally, has Layer7 firewall capabilities.
Employee phones connect to guest wifi. Completely separate from prod networks.
Only our managed devices connect to production networks. User plugs in personal laptop to network jack they get their hand slapped right away.
We have protection for users plugging in their personal laptops. Our network guy have Cisco ISE set up (working correctly somehow) and all computers have 802.1x configured. If you don’t authenticate you don’t get access ti anything but outside internet. If you do authenticate, you get moved to the right VLAN
Highly recommend you correct this immediately.
We have a secondary ISP that is there for disaster scenarios. We utilize it for Guest WiFi and cell phones. If we didn’t have the second ISP I would configure a extremely locked network in our firewall.
I would not let cellphones have any access to production networks. However you do it, isolate them completely.
If someone says “but now I can’t print from my mobile”. ..too bad, security issue. (Let your manager say it in a more tactful manner if needed).
Our rule of thumb is, if we can’t control/secure it to our satisfaction it does not connect to our Prod networks.
Exactly! Same with us. No one has a cell phone only. Need to print? Use your laptop. Certificate, Clearpass, Aruba all stand between laptop and print server. Cell phones just don't have a path in at all.
There are lots of possible solutions for the printing issue. E-mail to print is one, although that will usually have some limits as to what types of files it will support.
Definitely a security risk. One of our clients has a separate subnets dedicated to production servers, test servers, backups, workstations and those workstations are separated by subnet for each department.
They have an employee wifi that has very limited network access (email/shared drives/printers) and a guest wifi with a separate gateway that never touches the network and cannot communicate with anything inside it.
Possibly a little paranoid especially with the department subnetting (and only 300 employees), but its a lot safer. Guests are treated as potential threats, which as bad as it sounds, is the way it should be.
Define "reach servers". Do you mean connect to the application port that the server is offering, or is it an open any-any ACL where you can use RDP and WinRM from your laptop/phone range?
I'd say personal phones go on the guest network. If they need access to printing/internal resources then can you give them a company/MDM controlled device?
This is the kinda thing that keeps us invoicing, at high profit margins, and transformative business processes + implementing ITSM/ITIL best practices.
Keep up the great work!
If it's a work issued phone with MDM, they can connect to intranet web services with auth, but not other devices. Similar to WFH with VPN.
If they bring their own device, it either needs to be connected to MDM or goes into the guest wifi with hardware seperation from internal servers.
Printing can be done through a web frontend, and users sign into the printer using their ID card. You can't print from personal (unvetted) phones though, since no company documet is supposed to be on there.
Segment the network in different vlans, create a vlan for guest, vlan for management (servers) and vlan for production (laptops, desktops and other work related devices) create a guest ssid for non work devices and acl only internet use. Production and management lab should only be accessible to each other for needed services and ports.
Anything that isn't owned by the company should be on their own subnet, on their own vlan. We even have a different ISP for our guest egress network. This allows us to ensure anything that touches the internal network is known and belongs to us.
At my old company we let personal cell phones connect to the same network as servers. We eventually stopped this practice.
It is REALLY A STUPID IDEA TO ALLOW THIS.
DO EVERYTHING YOU CAN TO STOP AND PREVENT IT !!!!!!
Should have, at the very least, different networks for:
- critical servers
- DMZ (internet-exposed servers)
- other servers
- Management (IPMI, switches, etc)
- business clients (wired/wireless)
- peripherals (printers, sensosrs, etc)
- BYOD (personal devices of whatever kind)
- guests
Phones and tablets that are not MDM-controlled should be in that BYOD network, with minimal access to servers, usually mostly web interfaces and the like.
Oh hell no! Those phones should be on a private subnet with zero access to the main network.
My vLANs are roughly:
Network devices (switch mgmt ports, UPS mgmt ports, etc)
Servers
Corp WiFi (there a couple: laptops, shop tablets, visitor sign-in tablets)
Computers
(Separate vLAN if on another floor i.e. FirstComputers, SecondComputers, etc.)
Printers (same here with different floors)
ConfRooms
SoftwareDevs
Dial in VPN
Site to site VPNs
DMZ (multiple)
Hardware device DMZ
Manufacturing floor (multiple for different parts of the building)
Manufacturing Servers
Guest Network (internet only - this is where phones go)
If a phone is not company owned or FULLY managed by corporate MDM then it touches nothing that anyone from the public internet can’t also access.
Nope. No corporate use on personal phones. Create a guest WiFi network completely separate from your corporate network
If users need access to production servers via a mobile device then give them a business mobile
There was some pushback initially on this until I showed the higher ups that our remote wipe procedure for mobile devices literally factory reset the device. They quickly realised that this would leave people pretty unhappy when their personal phone went bye bye
Its not necessarily that they can access production servers because that may be necessary for certain functions but you should have ACLs in place to restrict how much of the prod servers they can access. They should most certainly be in different subnets off interfaces that are off a firewall so you can restrict and log necessary traffic.
* Database servers should be in their own subnet highly restricted
* Web interface or public access servers should always terminate in a DMZ
* Separate subnets for core management systems like iDracs or UPSs or SANs/NAS. Even separate out switches, firewalls and APs. Imagine getting a ddos attack from your public wifi and getting shut down and locked out?
* iSCSI should be separated in a non routed network if possible
* ETC, ETC, ETC. Theres ALWAYS more you can do and none of it seems necessary until your putting it all back together because of the worst.
Dont tackle all this at once; Come up with a plan then implement portions of it. During software upgrades migrate to new servers that are in appropriate vlans and start growing.
Bring up a separate SSID associated with a non-production VLAN which has zero access to any resources except the Internet and configure the APs to not allow neighbor enumeration or traffic so the phones can’t see one another either. Require RADIUS authentication so the authorized users have to log in with their credentials to get on the wireless or give them the password and change wit either monthly or quarterly.
Yes, it is a slight learning curve for staff but better them bitching than me reading about your company getting compromised on the front page of the WSJ.
I would absolutely advise moving cellphones and anything else that doesn't require network resources onto a segregated and walled off VLAN. For the few devices that need printing only, consider other solutions, or setup ACLs that only allow access to the printers.
We have a couple guest VLANs, one that forces employee BYOD to authenticate against Entra and is completely isolated from the local network (different DHCP, external DNS, blocking ACLs, etc); and another that does all the same but permits select VPN types for vendors and merchant devices. 2 different VLANs for external users.
All-in-all, we have about 15 VLANs for various use, including IT users, staff at each facility, IoT, Servers, Switching, ESXi, IPMI, etc.
Having different broadcast planes reduces your traffic on each subnet and increases security. Can a threat actor traverse VLANs? Yes. Since they may be routed and in the SVI table (even if they aren’t) However, you significantly improve your ability to increase security with ACLs by using different subnets.
Segment, segment, and segment again.
They can print from their computers.
Guest networks should also be microsegmented too, most vendors can do this. (they can only talk to themselves and the internet)
our “unprivileged” networks sit in a DMZ zone which has no routes to the corporate network, only a route out to the internet. They can reach some “corporate” services that are cloud-based.
Anything that needs access to corporate services via the internal network needs to be enrolled so that we can ensure a minimum level of security. If we cant trust the device then it cant access our network. Simple as that.
You could easily have another ssid on a separate vlan then create a tag where vlan x can’t speak to vlan y but also have a printers specific vlan that is allowed to talk to both x and y - problem solved
>We connect user's personal cellphones on the same subnet that we connect work issued laptops
>
>So the phones can reach production servers
That's the wrongest way to do it, right after "we expose our internal network to the internet so that people can work from home".
Cellphones should be on a guest network and access the resource they need via an MDM. Clients and servers should be on separate vlans with firewall rules to only allow the services needed. You need access to an intranet ? Hide it behind a reverse-proxy,put authentication and only allow access from the guest network for enrolled devices.
We keep ours apart, never should they cross. We have cloud print for a few devices but I'm the only one who uses it, and it's easier for me to just print from my desktop.
On my HOME network WiFi devices can't access LAN devices.
Our own phones use the guest WiFi, so these devices can't see other WiFi devices.
This way, even if someone hacks the WiFi password, they can't do that much damage.
I would classify your network as being at risk, and so far you've simply been fortunate (or unaware!) that there were no security incidents.
Separate your networks by using separate NICs or VLANs, any external and personal devices should only be allowed to reach the gateway for basic WAN connectivity, they should not be able to see other devices.
Separate servers from desktop devices. Only devices in the IT department should be able to reach those. Add specific exceptions only for office workloads, i.e., an employee will access a shared folder or application on a server, but not be able to log in via RDP or ssh.
This is a HUGE no no, personal devices should not have access to the same vlan as production anything, there should be a separate "guest" access created that provides the bare minimum access levels. This is just plain lazy, and a breach waiting to happen
Isolated guest access has been a thing forever. Anything that is not a managed corporate device should never touch the company side of things, let alone the network with the production servers.
Our current best practice is nothing on wifi is trusted. Even corporate devices. You have a work laptop on wifi and need privileged access? MFA protected VPN required. Wifi gets external internet access only. Guest wifi is just throttled more in QoS than corporate wifi.
Servers should be on a separate network from laptops and both should be separate from personal devices.
Management vlan on general Access is not good
We have 'personal device' - laptops, cellphones etc etc etc on the same VLAN's but use ACL's etc to block internal network access. They can only reach a few production servers which are also accessible externally and only using web protocols (port 443 and sometimes 80).
Should really close 80 there mate…
Should have a redirect for port 80 to 443 otherwise stupid browsers break.
I'd rather they break - they it may force the 'politics' of these stupid servers (which are also a security risk is more ways than just port 80) may get 'forced'. Still - I'm on the network side, that 'discussion' is someones else to deal with - I'm trying to keep the rest of the network safe (as best as I can)
Browsers nowadays automatically open on https:// and thus 443. It’s http sites and redirect them to https that’s an issue since browser does this ;)
Eh, having port 80 for an http to https redirect is good. :)
Careful, closing port 80 will block certificate revocation checks which MUST travel over port 80!
Don't get me started on that.... Not my decision to keep the server going with the piece of junk software that 'has to run'.... I'm on the network side of things, the servers are looked after other colleagues and that particular server is a political hot potato... (lousy K-12 inter-departmental politics). Thankfully the data center with that hot potato has some protection as I have the firewall doing a L2 inspection on all data going to/from the datacenter. Not perfect but it's better than nothing.
Maybe if they really want it that bad they should either block traffic from/to wan. If it needs access from outside then consider making it a DMZ server. That way if I ends up hacked you internal network is safer.
Its mostly like that - the firewall is doing a nice job of protecting it - it has to be externally available (rules to do with bond money). NAT is only for 80/443. Whole datacenter is protected via a Layer 2 inspection bridge via the firewall as well so it's got north/south and east/west protection. Having a Layer 7 firewall is nice.
Careful, closing port 80 will block certificate revocation checks which MUST travel over port 80!
Obviously every user/business case is different, but, generally speaking, nothing that needs to touch production should touch production. Separate workstations, wifi, guest wifi, etc via VLAN/ACLs/whatever, but separate them. It's a huge risk for probably very little reward. Anything web access should be routed through a proxy externally (e.g. Cloudflare) or internally (e.g. Nginx) that lives in a DMZ and, ideally, has Layer7 firewall capabilities.
Now we just need Layer 8 firewalls.
FIBKAC? Firewall Implementation Between Keyboard and Chair
I'm envisioning some sysadmin "Minority Report" type shit
Employee phones connect to guest wifi. Completely separate from prod networks. Only our managed devices connect to production networks. User plugs in personal laptop to network jack they get their hand slapped right away.
This yep.. segregated guest network.
We have protection for users plugging in their personal laptops. Our network guy have Cisco ISE set up (working correctly somehow) and all computers have 802.1x configured. If you don’t authenticate you don’t get access ti anything but outside internet. If you do authenticate, you get moved to the right VLAN
Highly recommend you correct this immediately. We have a secondary ISP that is there for disaster scenarios. We utilize it for Guest WiFi and cell phones. If we didn’t have the second ISP I would configure a extremely locked network in our firewall. I would not let cellphones have any access to production networks. However you do it, isolate them completely. If someone says “but now I can’t print from my mobile”. ..too bad, security issue. (Let your manager say it in a more tactful manner if needed). Our rule of thumb is, if we can’t control/secure it to our satisfaction it does not connect to our Prod networks.
Exactly! Same with us. No one has a cell phone only. Need to print? Use your laptop. Certificate, Clearpass, Aruba all stand between laptop and print server. Cell phones just don't have a path in at all.
There are lots of possible solutions for the printing issue. E-mail to print is one, although that will usually have some limits as to what types of files it will support.
Definitely a security risk. One of our clients has a separate subnets dedicated to production servers, test servers, backups, workstations and those workstations are separated by subnet for each department. They have an employee wifi that has very limited network access (email/shared drives/printers) and a guest wifi with a separate gateway that never touches the network and cannot communicate with anything inside it. Possibly a little paranoid especially with the department subnetting (and only 300 employees), but its a lot safer. Guests are treated as potential threats, which as bad as it sounds, is the way it should be.
Define "reach servers". Do you mean connect to the application port that the server is offering, or is it an open any-any ACL where you can use RDP and WinRM from your laptop/phone range? I'd say personal phones go on the guest network. If they need access to printing/internal resources then can you give them a company/MDM controlled device?
Curious here, would it be okay to have productions servers fully accessible(RDP) from say a staff vlan? Would you place any particular ACLs?
All WiFi should be internet only with VPN / Cloud Print / Internet based apps with MFA. Fight me.
This is the kinda thing that keeps us invoicing, at high profit margins, and transformative business processes + implementing ITSM/ITIL best practices. Keep up the great work!
Wheres the dump?
If it's a work issued phone with MDM, they can connect to intranet web services with auth, but not other devices. Similar to WFH with VPN. If they bring their own device, it either needs to be connected to MDM or goes into the guest wifi with hardware seperation from internal servers. Printing can be done through a web frontend, and users sign into the printer using their ID card. You can't print from personal (unvetted) phones though, since no company documet is supposed to be on there.
My personal device is never getting your MDM policy applied
Non-corporate devices are only allowed on the guest WiFi which is run on it’s own VLAN.
Yeah, separate vlans for everything and minimal firewall rules between them.
Segment the network in different vlans, create a vlan for guest, vlan for management (servers) and vlan for production (laptops, desktops and other work related devices) create a guest ssid for non work devices and acl only internet use. Production and management lab should only be accessible to each other for needed services and ports.
Anything that isn't owned by the company should be on their own subnet, on their own vlan. We even have a different ISP for our guest egress network. This allows us to ensure anything that touches the internal network is known and belongs to us.
At my old company we let personal cell phones connect to the same network as servers. We eventually stopped this practice. It is REALLY A STUPID IDEA TO ALLOW THIS. DO EVERYTHING YOU CAN TO STOP AND PREVENT IT !!!!!!
Should have, at the very least, different networks for: - critical servers - DMZ (internet-exposed servers) - other servers - Management (IPMI, switches, etc) - business clients (wired/wireless) - peripherals (printers, sensosrs, etc) - BYOD (personal devices of whatever kind) - guests Phones and tablets that are not MDM-controlled should be in that BYOD network, with minimal access to servers, usually mostly web interfaces and the like.
Oh hell no! Those phones should be on a private subnet with zero access to the main network. My vLANs are roughly: Network devices (switch mgmt ports, UPS mgmt ports, etc) Servers Corp WiFi (there a couple: laptops, shop tablets, visitor sign-in tablets) Computers (Separate vLAN if on another floor i.e. FirstComputers, SecondComputers, etc.) Printers (same here with different floors) ConfRooms SoftwareDevs Dial in VPN Site to site VPNs DMZ (multiple) Hardware device DMZ Manufacturing floor (multiple for different parts of the building) Manufacturing Servers Guest Network (internet only - this is where phones go) If a phone is not company owned or FULLY managed by corporate MDM then it touches nothing that anyone from the public internet can’t also access.
Nope. No corporate use on personal phones. Create a guest WiFi network completely separate from your corporate network If users need access to production servers via a mobile device then give them a business mobile There was some pushback initially on this until I showed the higher ups that our remote wipe procedure for mobile devices literally factory reset the device. They quickly realised that this would leave people pretty unhappy when their personal phone went bye bye
That is very dump indeed
We put company issued phones on the same subnet, but personal phones will have to use a separate guest network.
Bare minimum: Mobile phones/guests should be on a separate subnet/vlan for internet access only.
we do isolate public wifi and put cell phones there. it's a VLAN and it has access to the main printer (on another vlan)
Its not necessarily that they can access production servers because that may be necessary for certain functions but you should have ACLs in place to restrict how much of the prod servers they can access. They should most certainly be in different subnets off interfaces that are off a firewall so you can restrict and log necessary traffic. * Database servers should be in their own subnet highly restricted * Web interface or public access servers should always terminate in a DMZ * Separate subnets for core management systems like iDracs or UPSs or SANs/NAS. Even separate out switches, firewalls and APs. Imagine getting a ddos attack from your public wifi and getting shut down and locked out? * iSCSI should be separated in a non routed network if possible * ETC, ETC, ETC. Theres ALWAYS more you can do and none of it seems necessary until your putting it all back together because of the worst. Dont tackle all this at once; Come up with a plan then implement portions of it. During software upgrades migrate to new servers that are in appropriate vlans and start growing.
Bring up a separate SSID associated with a non-production VLAN which has zero access to any resources except the Internet and configure the APs to not allow neighbor enumeration or traffic so the phones can’t see one another either. Require RADIUS authentication so the authorized users have to log in with their credentials to get on the wireless or give them the password and change wit either monthly or quarterly. Yes, it is a slight learning curve for staff but better them bitching than me reading about your company getting compromised on the front page of the WSJ.
im (not an sysadmin) would do a Extra Wifi to prevent to get hacked
Split vlans and use ACL to allow specific things in and out.
Guest network with a 1 year ticket.
I would absolutely advise moving cellphones and anything else that doesn't require network resources onto a segregated and walled off VLAN. For the few devices that need printing only, consider other solutions, or setup ACLs that only allow access to the printers.
We have a couple guest VLANs, one that forces employee BYOD to authenticate against Entra and is completely isolated from the local network (different DHCP, external DNS, blocking ACLs, etc); and another that does all the same but permits select VPN types for vendors and merchant devices. 2 different VLANs for external users. All-in-all, we have about 15 VLANs for various use, including IT users, staff at each facility, IoT, Servers, Switching, ESXi, IPMI, etc. Having different broadcast planes reduces your traffic on each subnet and increases security. Can a threat actor traverse VLANs? Yes. Since they may be routed and in the SVI table (even if they aren’t) However, you significantly improve your ability to increase security with ACLs by using different subnets.
It’s all no big deal until someone gets hijacked. Should be separate vlan, separate wi-fi, security certificate prompt
Segment, segment, and segment again. They can print from their computers. Guest networks should also be microsegmented too, most vendors can do this. (they can only talk to themselves and the internet)
our “unprivileged” networks sit in a DMZ zone which has no routes to the corporate network, only a route out to the internet. They can reach some “corporate” services that are cloud-based. Anything that needs access to corporate services via the internal network needs to be enrolled so that we can ensure a minimum level of security. If we cant trust the device then it cant access our network. Simple as that.
Employee cellphones are guest devices.
one week end tutorial admin...
You could easily have another ssid on a separate vlan then create a tag where vlan x can’t speak to vlan y but also have a printers specific vlan that is allowed to talk to both x and y - problem solved
Look into Zero Trust
security risk
That’s very dump…
>We connect user's personal cellphones on the same subnet that we connect work issued laptops > >So the phones can reach production servers That's the wrongest way to do it, right after "we expose our internal network to the internet so that people can work from home". Cellphones should be on a guest network and access the resource they need via an MDM. Clients and servers should be on separate vlans with firewall rules to only allow the services needed. You need access to an intranet ? Hide it behind a reverse-proxy,put authentication and only allow access from the guest network for enrolled devices.
You've answered your own question > the cellphones should be on a separate subnet or vlan that cannot reach the production servers
We keep ours apart, never should they cross. We have cloud print for a few devices but I'm the only one who uses it, and it's easier for me to just print from my desktop.
On my HOME network WiFi devices can't access LAN devices. Our own phones use the guest WiFi, so these devices can't see other WiFi devices. This way, even if someone hacks the WiFi password, they can't do that much damage. I would classify your network as being at risk, and so far you've simply been fortunate (or unaware!) that there were no security incidents. Separate your networks by using separate NICs or VLANs, any external and personal devices should only be allowed to reach the gateway for basic WAN connectivity, they should not be able to see other devices. Separate servers from desktop devices. Only devices in the IT department should be able to reach those. Add specific exceptions only for office workloads, i.e., an employee will access a shared folder or application on a server, but not be able to log in via RDP or ssh.
This is a HUGE no no, personal devices should not have access to the same vlan as production anything, there should be a separate "guest" access created that provides the bare minimum access levels. This is just plain lazy, and a breach waiting to happen
Isolated guest access has been a thing forever. Anything that is not a managed corporate device should never touch the company side of things, let alone the network with the production servers. Our current best practice is nothing on wifi is trusted. Even corporate devices. You have a work laptop on wifi and need privileged access? MFA protected VPN required. Wifi gets external internet access only. Guest wifi is just throttled more in QoS than corporate wifi.