5.3 VLANs

VLANs are a common way to increase security on switches. A VLAN is a way to segment ports on a switch so that each port appears to be part of a different network. While the benefits of VLANs are readily apparent, many administrators do not like them, and in fact actively despise them. The arguments against VLANs tend to focus more on the platform than the actual VLAN concept.

The arguments against VLANs basically boil down to this: Given the lax security policies most administrators apply to switches, using VLANs is like putting a steel lock on a paper chain. Administrators who rely on VLANs, or any other single security measure for that matter, to protect their network, are leaving themselves open to attacks. On the other hand, VLANs used in conjunction with the other security measures outlined in this chapter will provide a network with an added layer of security.

VLANs help control traffic by breaking up a large broadcast domain into smaller, more manageable domains. This decreases the amount of broadcast traffic, and helps to keep data segmented. In practical terms, this turns a switch into two, three, or 24 switches. This keeps traffic levels down, and allows administrators to extend the life of switches, in terms of bandwidth, and in large switch deployments it can even collapse your switching infrastructure into three or four large switches, instead of 10 smaller switches. Most switching vendors support 4,084 VLANs per switch but check to make sure that your switch does support that many.

Refer again to Figure 5.1. The entire network uses one large netblock: 10.10.10.0/24. A lot of broadcast traffic can be generated across a large, flat network when all nodes are part of the same netblock. One way to reduce the amount of traffic is to subnet the IP block into more manageable chunks. Then administrators can assign the different chunks to each workgroup, or business unit. This method of segmentation can be hard to manage. VLANs are essentially the same as subnetted netblocks, a packet must travel through a router or other Layer 3 device to move from one VLAN to another.

In Figure 5.5 the network presented in Figure 5.1 is fleshed out a little more, and VLANs have been added. There are three switches. All of the active ports on Switch 1 have been assigned to VLAN 1, while all of the active ports on Switch 2 have been assigned to VLAN 2. The two core switches are both part of VLANs 1 and 2.

Generally VLANs are most useful when you share the information between multiple switches. When VLAN information is passed from one switch to the next it is referred to as tagging. The Institute of Electrical and Electronics Engineers (IEEE) has established the standard for VLAN tagging as 802.1Q. Using 802.1Q to share VLAN information is recommended, though many switch vendors have developed their own ways to share information. For example Cisco has a proprietary protocol called Inter-Switch Link (ISL) that behaves similarly to 802.1Q. Check with your vendor to see what type of VLAN tagging is supported.

At this point, we have managed to significantly contain broadcast traffic. Instead of Switch 1 and Switch 2 seeing all traffic destined for the other switch, they now only see broadcast requests for machines on their own switch.

To contain broadcast traffic even more, the next step is to configure VLANs on the third switch. The third switch only has file servers attached to it. Each group has its own file server, and obviously the users are continuously accessing these file servers. Because the file servers do not move often, each port can be assigned to the VLAN that corresponds to the VLAN of the group that uses that file server. If there are ten different groups within an organization ”therefore 10 file servers ”broadcast traffic can be reduced by an additional 50 percent by assigning each port on the file server to a different VLAN.

If members of an organization are heavy laptop users who move from location to location within the network, you can also create dynamic VLANs. A dynamic VLAN is configured based on the MAC address of the device connecting to the switch. The MAC address is added to a database on the switch. Because VLAN information is shared among all switches, whenever that MAC address plugs into any switch on the network it is automatically added to that VLAN and is able to talk to the rest of the machines in that VLAN.

VLANs are a great way to help ensure availability on the network, and they can isolate traffic, but do they have any other security value?

5.3.1 VLAN Security

As discussed in the previous section, VLANs help to increase availability, and they can keep traffic isolated, preventing others from sniffing data they should not. However, VLANs can also help restrict access to your network ”if they are deployed properly.

Switches are generally viewed as "plug and go" equipment. A network administrator purchases a switch, plugs it into the network, plugs workstations/servers into the switch, and it starts working. This ease of deployment is one of the reasons that switches have such a poor security reputation. For switches that support VLANs, all ports on the switch are initially configured to be part of the default VLAN (usually VLAN 1). While this makes switch installation very simple, it also makes it very easy for someone to gain access to the network using the switch.

To improve security on switches, remove the default VLAN. Each port on the switch should have to be added to the appropriate VLAN. Even if all machines on a switch are part of the same VLAN, any empty ports should be configured with no VLAN. Or, if the switch does not support removal of the default VLAN, the active ports on the switch should be switched to a different VLAN.

Removing the workstations/server from the default VLAN is important, but it is imperative that the port connected to the upstream switch or router be removed from the default VLAN as well. Because the upstream port is tagged with all of the VLANs, an attacker who is able to determine the default VLAN for the tagged port may be able to sniff all traffic on the network. Not only should the trunked port not be in the default VLAN, but it should have a native VLAN number that is unique.