A branch office has users, finance workstations, printers, and IP phones on one flat LAN. After a malware outbreak on a user PC, management wants to limit lateral movement without blocking printing or voice traffic. What should the network team implement?
Trap 1: Move all devices into one larger subnet and rely on endpoint…
This removes any network-level containment and depends too heavily on endpoint detection after compromise occurs.
Trap 2: Place all devices behind a single proxy server and block all…
A proxy does not solve internal segmentation for printers and phones, and blocking all east-west traffic would break normal operations.
Trap 3: Enable port security on the switch and disable all VLAN tagging to…
Port security may help with some access control, but it does not provide the needed policy separation across device types.
- A
Move all devices into one larger subnet and rely on endpoint antivirus for separation.
Why wrong: This removes any network-level containment and depends too heavily on endpoint detection after compromise occurs.
- B
Create separate VLANs for device groups and apply inter-VLAN ACLs that permit only required traffic.
This limits reachability between device classes while still allowing necessary business traffic such as printing and VoIP signaling.
- C
Place all devices behind a single proxy server and block all internal east-west traffic.
Why wrong: A proxy does not solve internal segmentation for printers and phones, and blocking all east-west traffic would break normal operations.
- D
Enable port security on the switch and disable all VLAN tagging to reduce complexity.
Why wrong: Port security may help with some access control, but it does not provide the needed policy separation across device types.