Given that adam:one has policies, rules, and devices that can be plugged together any which way you want (similar to VLANS) how much should VLANs and other security measures play when considering public access, IOT devices, guest devices, port forwarding, and such?
In other words, what part should traditional security approaches play when securing a network in light of DTTS and ADAM:one in general?
Great question,
I would say that they do fundamentally different things.
VLANs allow you to firewall a separation barrier between networks, and also limit broadcast traffic for large networks. Traffic inside of each VLAN is not filtered by the firewall.
And adam:ONE doesn’t really care what VLAN a device is on, all it’s concerned about is what layer 3 route it’s taking, for eg. what it’s trying to get to on the Internet or on another VLAN.
Keeping in mind that DTTS will automatically block all traffice between all VLAN’s.
If you create VLAN’s after the initial setup of adam:ONE, you will need to replicate all rules on all VLAN firewall rules but would be easier way is to run adamone-setup configure command again and adding all the VLAN interfaces on the adam:ONE config.
Here is how we have choosen to travese this topic. Since we have many adam:ONE nodes spead across many offices this lets us set up a standard that covers most circumstances.
We have VLANS set up to group the following devices:
-Domain Controllers
-Servers
-Workstations
-Lab devices
-Wireless
-Internal IoT (devices allowed to talk other VLANS)
-External IoT (devices allowed limited internet access, can talk to each other)
-Guest Devices (allowed limited internet access, cannot talk between devices)
It has not been my understanding that DTTS affects intervlan traffic, only what goes to WAN. Has something changed? Intervlan should controlled by traditional firewall rules in pfsense or in the dashboard enablers.
It does indeed affect inter-VLAN traffic. I use enablers on the adam:ONE dashboard to control that traffic.
I do as well. I suppose anywhere where those firework wall rules in PF sense rules are copied to, DTTS would apply.
In short when setting up pfsense as default, it has rules that allow any traffic to any network. When setting up adam with DTTS, it replaces the rules. Only allowing traffic via DNS to the WAN, unless you allow via an enabler for IP traffic.
Under correction, with DTTS the config blocks all rfc1918 traffic.
Without DTTS inter vlan communications is not effected and will still allow the traffic.