Network security partitioning
I am not sure I understand the VLAN feature.
I'm currently using a recycled Cisco appliance, which has multiple local LAN ports. I have these set up with a security hierarchy, such that my personal/office subnet can reach down to any of the others, whereas the IOT or DMZ subnets can only initiate communications with the public internet. It's doing the job, but is of course unsupported and (notoriously) obscure to configure.
In order to replicate this setup exactly with a Firewalla device, I would need to buy at least a Gold Lite.
VLAN appears to offer some of the same kinds of partitioning, but only if paired with a router which recognizes VLAN to break it out into the physical subnets. Otherwise, I presume all traffic would be subject to potential monitoring/sniffing.
Am I understanding that correctly, and if so what should I look for in a low-cost router to provide this isolation? Or how could I check whether any of my existing routers can provide that breakout?
Or am I misunderstanding?
Or should I just bite the bullet and consider a Gold Lite.
-
Hi there,
You are correct; VLANs typically will need VLAN-capable switches or access points in order to assign devices to separate networks. A good first step is to check your router's UI for VLAN or port tagging options to ensure your hardware can do this.
If you're interested in physically separating your networks with different LAN ports, then the Firewalla Gold series (Gold SE, Gold Plus, or Gold Pro) would work well for you.
You could have separate IOT, DMZ, or personal LANs, and create Firewalla rules to control traffic between them.
Here are some resources that might help:
- Network Segmentation: https://help.firewalla.com/hc/en-us/articles/4408644783123-Network-Segmentation
- Grouping, Segmentation, and Microsegmentation: https://help.firewalla.com/hc/en-us/articles/42588505047187-Groups-Segmentation-and-Microsegmentation-with-Firewalla
Please sign in to leave a comment.
Comments
1 comment