Free tips and tricks:
Contain Lateral Movement With Client Isolation
Wireless networking really helped client isolation take off the ground. It is immediately more obvious why this is needed when you think about a shared environment like a coffee shop, airport lounge, or any area where the convenience of WiFi networking is shared by a group of people. My laptop should never need to talk to someone else’s laptop. Even if I wanted to send an email to the person sitting 10 feet away from me. That email would go through the Internet from my email provider to their email provider. Direct communication would never happen. It would be better to set up some sort of security to automatically keep the laptops from talking to one another.
Within WiFi, this is called “Client Isolation”. It essentially creates the scenario where wireless clients can not communicate with one another. This can cause problems with shared devices like video conferencing bridges, printers, etc. The usual easy way to solve this is to hard-wire that resource. This tends to make sense because WiFi is servicing the needs of a dynamic mobile environment.
Wired networking is often overlooked when lateral movement is considered. Yet this is very easy to solve. Here is a great image of the problem and solution from Cisco.
As you can see, by tagging the interfaces on the systems as “protected ports” they can not communicate with eachother. This is exactly how client isolated WiFi works, but on a copper network. To find if your switch vendor supports this feature, look for “PVLANs” or “protected ports”. On a Cisco switch, where ports 2 and 3 are protected, the configuration would be simply this:
S1(config)# interface g0/2 S1(config-if)# switchport protected S1(config-if)# exit S1(config)# interface g0/3 S1(config-if)# switchport protected S1(config-if)# exit
Simple! Hopefully now you are safer.
We hope you find this helpful in securing your organization. Please consider us for help.
Especially if you are new to cybersecurity, we love helping!