This bugs me a bit so just seeking out to see what you folks do here, at lest you who work in security or have a security oriented homelab.

I do not generally allow any traffic between VLANs, all is isolated in the Switch, where different VLANs are in different routing instances (VRFs) and next-hop is my firewall. All traffic is L3.

Now when I’m testing new things and I need to login to a random web interface, at a random port I normally create an application on my firewall for that port, and add that port to a “baseline” I have for traffic from my office network to my different server networks. This works as indented and means I will never have any traffic I’m not aware of.

However this is also time consuming. So I’m thinking to allow all high ports (>1024) - for only one direction (office networks->server networks) but not sure this is a good idea either.

I’m also thinking to force (web admin X) to use 443. I could also use a web proxy that would allow high ports and use that while testing, but yea. all have their pro’s and cons…

  • YO3HDU@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Or just allow anything from from trusted to untrusted.

    The main concern is from untrusted to trusted that should always be denied.