How to configure subnets/VLANs to restrict access to WAN/other VLANs?

Question

I manage the networking for our (very!) small church as a volunteer. Currently everything is set up on a single /24 IPv4 subnet. I'm wanting to break these out into VLANs for increased security, and also implement IPv6 at the same time.

Our hardware is a MikroTik commercial-grade router (behind an AT&T gateway with 5 static WAN IPs), a secondhand Netvanta 1534P PoE switch (plus a Unifi PoE switch some distance away), and some Unifi Wi-fi access points with Unifi Controller running on a Raspberry Pi. We have a Synology NAS which is exposed to the Internet and which serves as our email server and master DNS server. Users are two Windows PCs in secure locations (offices), two more PCs in non-secured locations (sound booth), and guest users on our guest access Wi-fi. We also have security cameras, a few IoT devices (thermostats), and VoIP telephones. Most everything is on wired Cat 5e cabling to a fairly secure server closet.

I have identified the following classes of devices, along with what access I think they should have. I'm asking for advice as to how to implement this setup, or recommendations to improve it:

• Devices with direct access from WAN: Email, DNS, & Web server. Also Video station and similar on the NAS. This subnet should not be able to access other LAN subnets.
• Control and management devices: Management ports for switches, routers, Unifi controller, and similar devices. Should be able to be accessed from secured PCs, but not from WAN (unless at some later date I implement a VPN...fingers crossed).
• File sharing devices: All PCs, networked printers, and the NAS (it has 2 LAN ports which can be segregated). Should be able to share files and access as needed.
• Secured PCs: Should be able to access any device on the LAN.
• Non-secured PCs: Should be able to access the NAS as well as printers, etc., but should not be able to access control and management devices.
• IoT devices: Should have access to WAN only; should not see any other network traffic.
• Guest Wi-fi users: Should have access to WAN only; any access to NAS would be through the WAN-accessible port.
• VoIP Phones: Should have their own subnet.
• Security cameras: Should only be able to see the local port for the NAS, which acts as our camera controller and recorder. I don't want them phoning home to China every night.

I'm not a professional by any means; I'm learning by doing. (The church is my training lab!) I'd like to know how to give as much protection as possible, especially in implementing IPv6...there are lots of people who'd like to hack a church (I could show you my mail server logs...). Any helpful information will be appreciated.

Answer 1

This inventory of what you have is an excellent start. Document that, and back up all configurations.

Rather than trying to impose the maximum network isolation, think for a bit about risk management, and solutions you can maintain. Just because you have 9 models of device, doesn't mean that 9 VLANs makes sense.

Would be bad if someone took from the sound booth PC sensitive documents. So, consider separating the AV file shares from other documents, and only share media files with the sound booth. And have the sound PCs automatically lock when idle. Could still be on the same VLAN, and maybe reasonably safe.

Guest Wi-Fi is tricky to defend. Unknown wireless devices can't be supervised by a volunteer. With no reason to access the LAN, guest access is a common use case for an internet only network.

Security cameras would be sensitive, and a local only solution has no need to connect to the internet. But how bad would it really be to connect to the internet? Is the camera model known to phone home with diagnostics? Does the vendor patch security issues?

That NAS is a part of everything, including the external facing network. With two ports, one separation is external net (web server, DNS) from LAN (file sharing). Find out if the NAS is VLAN aware. If so, that makes it easier for the NAS be a part of more than 2 VLANs. This is one area where "VLAN all the things" plus "NAS that does everything" might complicate the design.

Decide how to do the management network. A small unmanaged switch wired to each management port might be nice, but not required. Physically isolating forces a would-be attacker to plug into the server closet. Although the primary reason for going out-of-band is for reliable access to control of the equipment.

Understand all traffic between these proposed security zones. Put a firewall in allow mode and read the logs.

Create a test lab representing what you have now. Can be virtual, with VMs simulating each type of device. Same OS as on your hardware would be nice, but not required to learn principles.

Create an address plan. A handful of subnets fits easily in a /56 or /48 you might be delegated from your ISP. Any v4 renumbering also would need a plan. Remember to allocate your test nets.

Create firewall rules to implement the desired policy. Deny guest to LAN, allow file sharing office to LAN, allow web from the internet to extranet. Here it will become apparent that v6 firewalls are not port forwarding, as it doesn't need NAT.

Create a transition plan. Perhaps you can alter the guest Wi-Fi any time, but need to pick a time when no users are on to install the rest. Test first!

And don't forget that a secure network is not just VLANs and firewalls. Host and user security basics are very powerful. Update PCs, and configure multiple factor auth for users' apps.