Why access isolation and forwarding for LAN

Document directory

• LAN access isolation

LAN access isolation

1. for example, an enterprise network can divide a LAN into different virtual areas (VLAN) based on the user's authorization to facilitate access control between VLANs, the Intercommunication between PCs within each VLAN is free and unrestricted.

2. we can divide different network segments for different VLANs. For example, the network segment of the VLAN1 to which the wireless PC belongs is 192.168.1.0/24, and the gateway is 192.168.1.1. Correspondingly, the network segment of the ordinary employee's PC is 192.168.8.0/24, gateway 192.168.8.1, and so on. The purpose of this setting is to facilitate the gateway staff to remember and reduce the maintenance difficulty.

3. in column 3 accessing the internet and LAN communication, we know that a PC must be forwarded by a gateway (such as the gateway address of 192.168.8.1) when accessing a PC in different network segments, A gateway is not required to access the same network segment. For example, a common employee's PC in VLAN 8 accesses each other and the traffic does not need to be forwarded by the gateway (that is, the gateway address does not need to be set for internal mutual access ); the supervisor of VLAN 9 needs the help of their respective gateways 192.168.9.1 and 192.168.10.1 to access the servers of VLAN 10.

4. from the division of such CIDR blocks, we can implement flexible access control on the vendor's Network Gateway to restrict mutual access between different VLANs or more advanced one-way access control, for example, only VLAN8 and VLAN9 can access VLAN10, but VLAN10 cannot access VLAN9 or VLAN8.

Implementation of LAN access Isolation Technology

Access in the data stream is represented by two-way data transmission. For example, if A wants to access B, except that the data of A à B can reach B correctly, it is also required that the data of B à A be correctly delivered to A. As long as the traffic of any party is restricted, the access will be restricted.

After Dividing users into different VLANs based on their access methods and authorizations, you can use simple packets to filter firewall access control rules by isolating the most basic wireless and wired PCs, you can add the following configurations:

Next, we need to implement one-way access control. For example, only VALN8 and VLAN9 can access VLAN10 at will, while VALN10 cannot actively initiate access, you can use the Packet Filtering Firewall + Application Status detection ASPF (Application Status Packet Filtering. The Application Status detects IP address access directions, as shown in:

 

In the figure above, host 192.168.9.2 in VLAN9 accesses TCP port 80 (HTTP application) of 192.168.10.2. This access triggers the creation of a Flow called <5 tuples> During gateway forwarding ), at the same time, the ASPF module creates an image stream <5 tuples> Based on the trigger stream. The image stream matches the returned data of 192.168.9.2 accessing the 192.168.10.2 HTTP application, therefore, when the traffic returned by 192.168.10.2 matches the image stream, it is forwarded normally:

 

If VLAN10 initiates a remote desktop access to VLAN9 (TCP port 3389), the access is denied by the gateway because no image stream <5 tuples> exists.

 

Because both VLAN10 and VLAN9 on the gateway can be configured with firewalls and ASPF, which of the following configurations is appropriate? As required, one-way access control is that VLAN10 cannot initiate access to VLAN9 or VLAN8. It can be seen that the configuration in VLAN10 can reduce the configuration volume, as shown below:

Let's analyze the configuration and logical relationship of the VLAN10 interface:

 

1. First, vlan8 and vlan9 are allowed in the outbound direction, and other accesses are rejected. That is, only vlan8 and vlan9 can access vlan10.

2. The second step is to reject all requests in the Inbound direction, that is, deny any access from vlan10.

3. Apply ASPF policy 1 in the outbound direction to Detect TCP and UDP. In combination with 2301, it detects TCP and UDP access initiated by VLAN8 and VLAN9, then establishes an image stream <5 tuples>, and then permits access.

If you have more flexible requirements, we can analyze the one-way access control conditions, develop the logical relationship between ASPF and firewall, and implement it.