Wireless Security Client Isolation

UTM Firewall requires membership for participation - click to join

Thread Info

State Not Answered
Locked Locked
Replies 12 replies
Subscribers 1 subscriber
Views 13238 views
Users 0 members are here

Options

Suggested

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Client Isolation

CClasen over 9 years ago

Is it the case that client isolation only works when using Separate Zone? It doesn't seem to do anything for Bridge to LAN or Bridge to VLAN.

This thread was automatically locked due to age.

Parents

0 CClasen over 9 years ago

I would because I have configured it with other wireless equipment (specifically Ubiquiti).  I put this in the other thread, but here's the scoop on how it works with Sophos gear (directly from UTM support):

"When using Bridge-to-LAN/Bridge-to-VLAN client isolation will not be able to block traffic between two stations connected to different APs on the same LAN segment."

This means that if you implement it, and are able to then restrict communication between APs, you can acheive full L3 isolation.  I did this by adding IP ACLs on the AP switchports.

The Ubiquity gear uses IP ACLs on the APs so clients can only communicate with the gateway IP address.  Sophos gear must use MAC blacklisting based on the MAC addresses of locally connected clients; that's my best guess anyway based on this behavior.  So it is possible to get full client isolation, but it wold be nice to see more customer-facing documentation about this feature, since you can enable it using bridge mode.  If I hadn't verified that is was working, I'd be oblivious to a wide-open attack vector in the network.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 CClasen over 9 years ago

I would because I have configured it with other wireless equipment (specifically Ubiquiti).  I put this in the other thread, but here's the scoop on how it works with Sophos gear (directly from UTM support):

"When using Bridge-to-LAN/Bridge-to-VLAN client isolation will not be able to block traffic between two stations connected to different APs on the same LAN segment."

This means that if you implement it, and are able to then restrict communication between APs, you can acheive full L3 isolation.  I did this by adding IP ACLs on the AP switchports.

The Ubiquity gear uses IP ACLs on the APs so clients can only communicate with the gateway IP address.  Sophos gear must use MAC blacklisting based on the MAC addresses of locally connected clients; that's my best guess anyway based on this behavior.  So it is possible to get full client isolation, but it wold be nice to see more customer-facing documentation about this feature, since you can enable it using bridge mode.  If I hadn't verified that is was working, I'd be oblivious to a wide-open attack vector in the network.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data