Possibility of lateral movement between VLAN

[Budgeter]

Let say we have 3 VLANs: 10, 20 and 30.

1. VLANs 10 and 30 for regular devices (laptops, phones, etc)
2. VLAN 20 for IoT device
3. DENY VLAN 20 from establishing any RFC 1918 connection to VLANs 10 and 30. Also, no Internet access.
4. ALLOW VLANs 10 and 30 to establish RFC 1918 connection to VLAN 20. VLANs 10 and 30 have internet access.
5. DENY VLAN 10 from establishing any RFC 1918 connection to VLAN 30 and vice versa.

Assuming a device, on either 10 or 30, is infected, or hacked. What is the possibility of lateral movement between VLANs 10 and 30. If so, under which conditions?

 

[L&LD]

If an infected device is allowed to communicate with another, the chance/possibility of infection is 100% assuming the malware targets both devices in the first place.

Don't connect to what you don't trust. Ever. Once is too much trust.

 

[Budgeter]

If an infected device is allowed to communicate with another, the chance/possibility of infection is 100% assuming the malware targets both devices in the first place.

Don't connect to what you don't trust. Ever. Once is too much trust.

So i guess whenever a connection is established, even it is 1 way, lateral movement is 100% possible? Only when we have a strict containment (fully isolated VLAN), we can prevent lateral movement.
In this case, that means VLAN 10 infects VLAN 20. The malware is stuck there since VACL DENY 20 -> 30. However, if a connection is initialize by device on VLAN 30 to 20, then the malware can continue its infection?

 

[L&LD]

Yes. Everything will get infected (and more quickly than you may think).