I hope I can ask for advice here. I didn't see anything against this in the rules, but also don't want to harsh the vibe. If it's not ok, please delete my most.
TL;DR - I need to share a network printer with the greater network, while also making it available to non-networked Windows XP and Vista computers. I am seeking advice on how to do this without connecting the out-of-compliance computers to the network (or to each other).
I can't believe I have to consider this problem, but here I am. We have a bunch of equipment ranging from about $20k to over $250k each, with computers running Windows Vista and Windows XP. We can't replace the computers, because both the software and device drivers are proprietary and we can't get the updated versions without purchasing new devices. The department must be able to print from these computers.
So far, I've implemented a "floating USB" methodology, where the printer is connected through one USB cable that the tech moves from computer to computer, as s/he needs to print. They only ever use one, MAYBE two, at a time, so the floating USB isn't as inconvenient as it sounds. The subscription on the printer that's in there now, ends soon and corporate is unwilling/unable to renew at this time. The only other printer the department has, is across the hall.
I proposed to move that printer to the other office, connect it to the network to allow them continued ability to print from their laptops, while continuing the floating USB for the WinXP and WinVista machines. They declined, as they use that printer quite often, and don't want to have to run across the hall during high-stress tasks.
I thought about running USB the distance, but it's capped at about 5 meters / 16 feet.
My latest proposals include an active USB extension cable or USB-over-Ethernet and running USB cabling in the rafters, which will allow for the floating USB method as well as keep the printer networked. My goal is to keep these XP and Vista computers disconnected from the network. I know connecting them to a networked printer isn't great, but it's better than connecting them directly to the greater network.
Another idea I had was to create a physically segregated network for these computers only, disconnected from the greater network, with the printer connected to this network's firewall via USB and shared as a Networked printer inside this internal network. The printer will also be connected to the greater network via Ethernet, and used there. The issue I have with this, is that it keeps the XP/Vista computers connected to each other and to the printer, which still holds the risk of infection spreading among them.
I'm anticipating the (worst case) push to connect them to the internal network and "just put them behind the firewall," which, as you all know, is a very bad idea. Therefore, I'm trying to amass as many viable ideas as I can, in the hope that one of them will prevent the worst case.
Does anyone have any other ideas for sharing this printer with networked and non-networked computers?
Put the printers in a new VLAN, only allow traffic to that printer.
If the only allowed packets are to/from that printer that's pretty much the same as now anyway.
It's not like USB is somehow secure.
Also, FWIW, your current setup would be much less annoying with a USB Switch.
That's a great idea. The switch with the USB over CAT5/6 would probably solve it, at least until that becomes "too much walking" haha
Edit: VLANing in this scenario won't work, because VLAN hopping isn't impossible. Since these OSs were fully EOLed 10+ years ago, the risk that the potential VLAN hopping poses is too high for this environment. Definitely not a bad idea under other circumstances, though. Thanks!
Even if you assume the end device is compromised, VLAN hopping is a switch configuration issue that's been dealt with ages ago. Just follow the best practices for that and you'll be fine.
For your use case, even if you had a multitude of those hosts, you could put them all in a single Private VLAN, which would also be preventing peer-to-peer traffic, which I think you also wanna do, all in a scalable and easy way.