VLAN - Security risk or not: 1 Port in 2 VLAN's

Hello,

I reduced my problem to the minimum, this is why I speak about "PC's".
I have a Netgear FS726T Switch with VLAN for ports.

What I need is: PC-A and PC-B should be able to access PC-X (and vice
versa). However, PC-A must not reach PC-B (ande vice versa).

What I did is:
I put the ports of the switch with PC-A and PC-X in VLAN1. I put PC-B
and PC-X in VLAN2. (So, PX-X is in VLAN1 and VLAN2!). When I test the
connectivity with "ping" then everything works as I wanted.

My question: Can PC-A "talk" in what ever "language" to PC-B? Is ping
enough to test? Whatelse can I do, a portscan from PC-A to PC-B?

In reality, PC-A is a company server, PC-B is a private PC (with
children surfing the internet) and PC-X is a Cisco 820 DSL-Router
acting as a gateway for PC-A and PC-B, both should be able to surf the
internet but must not reach each other. I think there's no way to
"hack" the cisco router, however, can it somehow be used within the LAN
to connect PC-A and PC-B? (Outside the LAN this works, however, then
all data would go through the Cisco firewall that would protect PC-A.)

Best regards,

arno

Stop looking at the networking layers to solve your problem. Being able to
"ping" something does not mean you have access to it anyway.
The access is controlled at the Filesystem Level (NTFS Permisions) or at the
Application Level by using the Application that provides the services being
asked for.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed are my own (as annoying as they are), and not those of
my employer or anyone else associated with me.
-----------------------------------------------------


"arno" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Hello,
>
> I reduced my problem to the minimum, this is why I speak about "PC's".
> I have a Netgear FS726T Switch with VLAN for ports.
>
> What I need is: PC-A and PC-B should be able to access PC-X (and vice
> versa). However, PC-A must not reach PC-B (ande vice versa).
>
> What I did is:
> I put the ports of the switch with PC-A and PC-X in VLAN1. I put PC-B
> and PC-X in VLAN2. (So, PX-X is in VLAN1 and VLAN2!). When I test the
> connectivity with "ping" then everything works as I wanted.
>
> My question: Can PC-A "talk" in what ever "language" to PC-B? Is ping
> enough to test? Whatelse can I do, a portscan from PC-A to PC-B?
>
> In reality, PC-A is a company server, PC-B is a private PC (with
> children surfing the internet) and PC-X is a Cisco 820 DSL-Router
> acting as a gateway for PC-A and PC-B, both should be able to surf the
> internet but must not reach each other. I think there's no way to
> "hack" the cisco router, however, can it somehow be used within the LAN
> to connect PC-A and PC-B? (Outside the LAN this works, however, then
> all data would go through the Cisco firewall that would protect PC-A.)
>
> Best regards,
>
> arno
>

Hello Phillip,

> The access is controlled at the Filesystem Level (NTFS Permisions) or

.... Windows security holes that can be used by children surfing the
internet without brains. I need to block PC-A from reaching PC-B -
foolproof if possible.

So, no successfull ping means no "connection"?

arno

"arno" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hello Phillip,
>
>> The access is controlled at the Filesystem Level (NTFS Permisions) or
>
> ... Windows security holes that can be used by children surfing the
> internet without brains. I need to block PC-A from reaching PC-B -
> foolproof if possible.

You're taking the wrong approach.
They don't use "security holes" to surf. They surf because that is want the
OS and the browser are designed to do. To control surfing you have to
directly control surfing itself,...messing with the networking layers
doesn't do that. For minimal control you can use the Content Filtering
built into the Browser's Settings. These are found by opening the browser
then go to Tools, Internet Options, Content Advisor (click Enable). There
are a few settings in there and it can be password protected. For anything
more complex than this you need to use specialized software like Net Nanny,
Cyber Sitter, etc. There are others too, but I don't know them by name.

> So, no successfull ping means no "connection"?

No,...Ping can completely fail and yet have everything else work perfectly
fine. By the same token, Ping and work perfectly well and yet have nothing
else work. The only thing a successful ping means is that "ping works".

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed are my own (as annoying as they are), and not those of
my employer or anyone else associated with me.
-----------------------------------------------------

Hello Phillip,

> To control surfing
> you have to directly control surfing itself

I cannot as I do not have control over this PC, it's a private PC using
the company DSL Router. Let's simply assume that PC-B is full with
viruses, trojans, any malware available etc. etc.

> ,...messing with the
> networking layers doesn't do that.

Yes it does, as VLAN separates to Networks physically. My problem is
the DSL-Router (PC-X) in the middle, nothing else.

> The only thing a successful ping means
> is that "ping works".
ok.

Are there any other tools I can use to check if there's connectivity
between PC-A and PC-B?

arno

Hi,

well, RTFM did help

One manual included an appendix with an example where one port was
member of all VLAN groups providing internet connection. Obviously,
beeing member of many VLANs does not connect them.

arno

"arno" <(E-Mail Removed)> wrote in message
news:eXX%(E-Mail Removed)...
> Hi,
>
> well, RTFM did help
>
> One manual included an appendix with an example where one port was
> member of all VLAN groups providing internet connection. Obviously,
> beeing member of many VLANs does not connect them.

That is correct. A layer 3 router is still required to jump between
segments.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed are my own (as annoying as they are), and not those of
my employer or anyone else associated with me.
-----------------------------------------------------