Possibility of lateral movement between VLAN

Budgeter

Regular Contributor
Let say we have 3 VLANs: 10, 20 and 30.
  1. VLANs 10 and 30 for regular devices (laptops, phones, etc)
  2. VLAN 20 for IoT device
  3. DENY VLAN 20 from establishing any RFC 1918 connection to VLANs 10 and 30. Also, no Internet access.
  4. ALLOW VLANs 10 and 30 to establish RFC 1918 connection to VLAN 20. VLANs 10 and 30 have internet access.
  5. DENY VLAN 10 from establishing any RFC 1918 connection to VLAN 30 and vice versa.
Assuming a device, on either 10 or 30, is infected, or hacked. What is the possibility of lateral movement between VLANs 10 and 30. If so, under which conditions?
 

L&LD

Part of the Furniture
If an infected device is allowed to communicate with another, the chance/possibility of infection is 100% assuming the malware targets both devices in the first place.

Don't connect to what you don't trust. Ever. Once is too much trust.
 

Budgeter

Regular Contributor
If an infected device is allowed to communicate with another, the chance/possibility of infection is 100% assuming the malware targets both devices in the first place.

Don't connect to what you don't trust. Ever. Once is too much trust.
So i guess whenever a connection is established, even it is 1 way, lateral movement is 100% possible? Only when we have a strict containment (fully isolated VLAN), we can prevent lateral movement.
In this case, that means VLAN 10 infects VLAN 20. The malware is stuck there since VACL DENY 20 -> 30. However, if a connection is initialize by device on VLAN 30 to 20, then the malware can continue its infection?
 
Last edited:

L&LD

Part of the Furniture
Yes. Everything will get infected (and more quickly than you may think).
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top