VLAN - Security risk or not: 1 Port in 2 VLAN's

Discussion in 'Windows Networking' started by arno, Nov 27, 2006.

  1. arno

    arno Guest

    Hello,

    I reduced my problem to the minimum, this is why I speak about "PC's".
    I have a Netgear FS726T Switch with VLAN for ports.

    What I need is: PC-A and PC-B should be able to access PC-X (and vice
    versa). However, PC-A must not reach PC-B (ande vice versa).

    What I did is:
    I put the ports of the switch with PC-A and PC-X in VLAN1. I put PC-B
    and PC-X in VLAN2. (So, PX-X is in VLAN1 and VLAN2!). When I test the
    connectivity with "ping" then everything works as I wanted.

    My question: Can PC-A "talk" in what ever "language" to PC-B? Is ping
    enough to test? Whatelse can I do, a portscan from PC-A to PC-B?

    In reality, PC-A is a company server, PC-B is a private PC (with
    children surfing the internet) and PC-X is a Cisco 820 DSL-Router
    acting as a gateway for PC-A and PC-B, both should be able to surf the
    internet but must not reach each other. I think there's no way to
    "hack" the cisco router, however, can it somehow be used within the LAN
    to connect PC-A and PC-B? (Outside the LAN this works, however, then
    all data would go through the Cisco firewall that would protect PC-A.)

    Best regards,

    arno
     
    arno, Nov 27, 2006
    #1
    1. Advertisements

  2. Stop looking at the networking layers to solve your problem. Being able to
    "ping" something does not mean you have access to it anyway.
    The access is controlled at the Filesystem Level (NTFS Permisions) or at the
    Application Level by using the Application that provides the services being
    asked for.

    --
    Phillip Windell [MCP, MVP, CCNA]
    www.wandtv.com

    The views expressed are my own (as annoying as they are), and not those of
    my employer or anyone else associated with me.
     
    Phillip Windell, Nov 27, 2006
    #2
    1. Advertisements

  3. arno

    arno Guest

    Hello Phillip,
    .... Windows security holes that can be used by children surfing the
    internet without brains. I need to block PC-A from reaching PC-B -
    foolproof if possible.

    So, no successfull ping means no "connection"?

    arno
     
    arno, Nov 27, 2006
    #3
  4. You're taking the wrong approach.
    They don't use "security holes" to surf. They surf because that is want the
    OS and the browser are designed to do. To control surfing you have to
    directly control surfing itself,...messing with the networking layers
    doesn't do that. For minimal control you can use the Content Filtering
    built into the Browser's Settings. These are found by opening the browser
    then go to Tools, Internet Options, Content Advisor (click Enable). There
    are a few settings in there and it can be password protected. For anything
    more complex than this you need to use specialized software like Net Nanny,
    Cyber Sitter, etc. There are others too, but I don't know them by name.
    No,...Ping can completely fail and yet have everything else work perfectly
    fine. By the same token, Ping and work perfectly well and yet have nothing
    else work. The only thing a successful ping means is that "ping works".

    --
    Phillip Windell [MCP, MVP, CCNA]
    www.wandtv.com

    The views expressed are my own (as annoying as they are), and not those of
    my employer or anyone else associated with me.
    -----------------------------------------------------
     
    Phillip Windell, Nov 27, 2006
    #4
  5. arno

    arno Guest

    Hello Phillip,
    I cannot as I do not have control over this PC, it's a private PC using
    the company DSL Router. Let's simply assume that PC-B is full with
    viruses, trojans, any malware available etc. etc.
    Yes it does, as VLAN separates to Networks physically. My problem is
    the DSL-Router (PC-X) in the middle, nothing else.
    ok.

    Are there any other tools I can use to check if there's connectivity
    between PC-A and PC-B?

    arno
     
    arno, Nov 28, 2006
    #5
  6. arno

    arno Guest

    Hi,

    well, RTFM did help :)

    One manual included an appendix with an example where one port was
    member of all VLAN groups providing internet connection. Obviously,
    beeing member of many VLANs does not connect them.

    arno
     
    arno, Nov 28, 2006
    #6
  7. That is correct. A layer 3 router is still required to jump between
    segments.

    --
    Phillip Windell [MCP, MVP, CCNA]
    www.wandtv.com

    The views expressed are my own (as annoying as they are), and not those of
    my employer or anyone else associated with me.
    -----------------------------------------------------
     
    Phillip Windell, Nov 28, 2006
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.