Isolating a Windows 7 Machine using VLAN -- Security Questions

I’m restructuring a network for a small business. One of our machines absolutely has to continue running Windows 7 because we’re running Adobe software that’s not guaranteed to work if we upgraded to W10, but W7 end of life means keeping this machine on the network is a big security hole.

I’m planning on creating a separate VLAN network so the 7 Machine will be able to connect to the internet in isolation from the rest of the network, however, we would ideally like to be able to print from this machine on a XEROX WorkCentre Printer that would be connected to the main network. Would connecting the 7 Machine Directly using a USB be opening the main network up to the security hole?


How are you going to isolate the Win 7 machine? Firewall? If so, just do a one way firewall rule to allow access to the printer.

VLANing implies all the devices on the VLAN are in the same broadcast domain. Normally broadcast domains are connected with routers (or a routing firewall.) Since this is just one machine, skip the VLAN and just put it on its own firewall. Configure the firewall to disallow it to talk to the rest of the network, and to limit its ability to access the outside world as well. (Allowing it to wave hi to Adobe and nothing else, for example.) The firewall could allow access to the printer also.

This still doesn’t address your actual question. If the printer can be compromised, then it could still be used as a vector to the rest of the network.

Thank you, I’ll keep that in mind moving forward!

As @PHolder says, you need either a routing firewall (expensive) or a VLAN capable firewall/router.

You can set up the Windows 7 device to be isolated on its own VLAN and just router the printer port to the printer on the main VLAN.

I would think, at the current time, isolating the Windows 7 device from the Internet would be much more important than isolating it from the local network (we do both, our lab and production PCs need Windows XP and Windows 7, because the equipment manufacturers (CNC machines, spectrophotometers etc.) haven’t updated the software or drivers to work with Windows 7 or Windows 10, depending on the age of the devices. Those devices cost 6 or 7 figures or more and are still running fine, so spending 6 figures, just to be able to upgrade to Windows 10 is not an option. Therefore they are on their own isolated segment, no internet access and no local network access.

They do have access to a single fileserver that straddles both networks and runs AV software and is firewalled.

1 Like