Originally Posted by
rthonpm
Many of our larger customers are actually building out dedicated VLANs just for their printers and other devices so that they can segment traffic and device types. With printers it's especially useful as the web interfaces for a lot of devices can't use newer TLS versions or contain very old cipher suites. With a VLAN, you can grant a single PC or terminal server HTTP access to all of the devices and have a lower security setting for a single browser to access them. While I don't get directly involved in them beyond troubleshooting any odd ports that are needed, as a company we're beginning to add whether VLANs are a part of a customer network during our site surveys.
For the last customer we assisted with one, we had them allow ports 515 and 9100 for printing inbound, HTTP inbound from a management PC, SMB outbound to their file server for scan to folder, and SMTP outbound to their internal mail relay for scan to email. SNMP and the ports for their monitoring software were enabled inbound and outbound only to the specific IP of the monitoring system. All other traffic was blocked.
Their network guys further narrowed some of those down to only allowing printing from their server VLAN to ensure that users were only using print queues from their print server and other server based applications. Similarly, SMB was also limited to just the file servers to ensure no rogue shares were on any of the machines.
Sent from my BlackBerry using Tapatalk
Bookmarks