5

To mitigate the risk of malware propagating through a network, how reasonable is it to place each and every device on its own VLAN (complete isolation)?

Note:

  • The devices do not need to communicate to each other at all.

Secondary questions:

  • Would there be any performance losses? (Connection to internet)

  • Is there a better solution for isolation?

Related:

SheerKahn
  • 155
  • 5
  • Im not quit sure whether this would make problem for router/l3 switch when you do routing, cuz it would have a long routing table and each packet would be check with it. – Tryna Learn Somethin Jan 07 '18 at 12:26
  • If you're using Wi-Fi, some access points provide the option for a guest SSID that isolates all devices. – juhraffe May 25 '18 at 17:41

1 Answers1

2

VLAN for every single computer will be a headache :-)

I believe you need PVLAN not VLAN, it will isolate layer 2 and interfaces will not be able to communicate with each other (except uplink & trunk ports of course). Could you please review following links, if you need more specific reference, let me know please.

From the Juniper's website

Private VLANs (PVLANs) take this concept a step further by limiting communication within a VLAN. PVLANs accomplish this by restricting traffic flows through their member switch ports (which are called private ports) so that these ports communicate only with a specified uplink trunk port or with specified ports within the same VLAN.

If you have available resource on your devices, I believe this will not effect performance significantly.

As the last words, yes isolation is a important topic but end point security have many todos so please be sure you considered your antivirus policy, patch management, account permission hardenings, doormant user reviews, etc. :-) If you don't have end point protection solution (for example), eventually this clients will be able to access to somewhere. You will isolate this client computers to communicate with each other but eventually they will talk with printer server or web server... :-)

alnbhclyn
  • 274
  • 1
  • 7