Apologies if this is the wrong location for this question. I am new to networking and wanted to clarify that configuring VLANs in Sonicwall can still allow traffic from one VLAN to another. Is this correct? For example, I want to configure a VLAN for a developer group since they need admin access on their PCs but protect the rest of the network in the event they accidentally fall victim to malware. This group still needs to access resources on the LAN.
Can I do this and if so, can someone point me in the right direction for documentation describing the steps to do so?
Nice to meet you! And this is the perfect location.
In short, Yes! VLANs on a single interface can indeed communicate with one another based on what you allow via access rules.
In terms of setup, please see the following SonicWall articles. Naturally, you will need to work with your switch vendor to create the corresponding VLANs.
@micah - SonicWall's Self-Service Sr. Manager5
Ajishlal Community Legend ✭✭✭✭✭
Hi @R20 ,
SonicOS Enhanced zones allows you to apply security policies to the inside of the network. This allows the administrator to do this by organizing network resources to different zones, and allowing or restricting traffic between those zones. This way, access to critical internal resources such as payroll servers or engineering code servers can be strictly controlled.
Each zone has a security type, which defines the level of trust given to that zone. There are five security types:
- Trusted : Trusted is a security type that provides the highest level of trust—meaning that the least amount of scrutiny is applied to traffic coming from trusted zones. Trusted security can be thought of as being on the LAN (protected) side of the security appliance. The LAN zone is always Trusted.
- Encrypted : Encrypted is a security type used exclusively by the VPN zone. All traffic to and from an Encrypted zone is encrypted.
- Wireless : Wireless is a security type applied to the WLAN zone or any zone where the only interface to the network consists of SonicWALL SonicPoint devices. Wireless security type is designed specifically for use with SonicPoint devices. Placing an interface in a Wireless zone activates SDP (SonicWALL Discovery Protocol) and SSPP (SonicWALL Simple Provisioning Protocol) on that interface for automatic discovery and provisioning of SonicPoint devices. Only traffic that passes through a SonicPoint is allowed through a Wireless zone; all other traffic is dropped.
- Public : A Public security type offers a higher level of trust than an Untrusted zone, but a lower level of trust than a Trusted zone. Public zones can be thought of as being a secure area between the LAN (protected) side of the security appliance and the WAN (unprotected) side. The DMZ, for example, is a Public zone because traffic flows from it to both the LAN and the WAN. By default traffic from DMZ to LAN is denied. But traffic from LAN to ANY is allowed. This means only LAN initiated connections will have traffic between DMZ and LAN. The DMZ will only have default access to the WAN, not the LAN.
- Untrusted : The Untrusted security type represents the lowest level of trust. It is used by both the WAN and the virtual Multicast zone. An Untrusted zone can be thought of as being on the WAN (unprotected) side of the security appliance.By default, traffic from Untrusted zones is not permitted to enter any other zone type without explicit rules, but traffic from every other zone type is permitted to Untrusted zones.
For your scenario create a DMZ zone and create the Access rule as per your requirement.5
For your above scenario, I would recommend to create custom zone for the developer PC's network. and enable the all security services such as CFS,GAV & IPS. then create a proper ACL in between LAN to new Zone and vice versa.
Zone-based security is a powerful and flexible method of managing both internal and external network segments, allowing the administrator to separate and protect critical internal network resources from unapproved access or attack.
NB: Deny the default any any rules from LAN to New Zone & Vice versa. Then create your own custom rules as per your requirements.
Thank you. To confirm, setting up a custom zone as you indicate would work to effectively isolate malware\ ransomware that affected a PC on a developer PC from traversing to the LAN and infecting other systems. Is this correct? The developer PCs could access the rest of the LAN to access other servers but would be isolated in the event of a malware attach on their PCs. Is this correct?
I hope you are well @R20. Did any of these answers help? If so, please consider marking "Yes" next to the best answer so that the community benefits by this interaction.
@micah - SonicWall's Self-Service Sr. Manager