AntiOnline: Maximum Security for a Connected World

First, a brief explanation of VLANs is in order, courtesy of Webopedia, our "IT glossary" sister site:

Short for virtual LAN, a network of computers that behave as if they are connected to the same wire even though they may actually be physically located on different segments of a LAN. VLANs are configured through software rather than hardware, which makes them extremely flexible. One of the biggest advantages of VLANs is that when a computer is physically moved to another location, it can stay on the same VLAN without any hardware reconfiguration.
The benefits are immediately apparent. Gone are the days of dedicated wiring and configuring each and every client system. This comes in handy when setting up departmental segments of a network where all of the workers of the marketing group, for instance, don't share the same floor in an office building.

This week we spotlight HTRegz's tutorial on VLANs and why they make sense for IT staffers deploying robust and flexible networks. Of course, it wouldn't be an AntiOnline spotlight without a security angle.

Keep reading for the security implications of employing VLANs.

Note: The opinions expressed below are solely those of the individual posters on the AntiOnline forums.

Direct link to this week's spotlight thread:

Introduction to VLANs

HTRegz outlines a straightforward but inefficient physical network layout.

Example:

You have Accounting and Marketing Departments. These departments both have 7 employees and 1 manager. Being a large corporation, your managers aren't on the same floor as the rest of the employees; they're a few floors up with bigger offices. Yet you want all people related to Accounting on one network and all those related to marketing on another, including the managers. This would be a pain if you were designing your network using physical layouts. You'd have to run some massively long wires and it would be counter productive if someone ever moved. Your switches would look something like this. 

Accounting Switch               Marketing Switch
X X X X X X X X                 X X X X X X X X
| | | | | | | |                 | | | | | | | | 
S S S S S S S 2                 S S S S S S S 2
A A A A A A A                   A A A A A A A  
M M M M M M M F                 M M M M M M M F
E E E E E E E L                 E E E E E E E L
              O                               O
F F F F F F F O                 F F F F F F F O
L L L L L L L R                 L L L L L L L R
O O O O O O O S                 O O O O O O O S 
O O O O O O O                   O O O O O O O   
R R R R R R R U                 R R R R R R R U
              P                               P
This would be rather messy. Say someone moves to a different cubicle or office, you would have to run wires back to the original switch.
VLANs to the rescue!
You setup 2 VLANs in your company. VLAN1 - Accounting and VLAN2 - Marketing. You configure your switches. Instead of the two 8-port switches, you'd have a 16-port and for the other anything over 3 ports would do the trick, but we'll say an 8-port. On the floor with all the bean counters you'd have the 16-port switch. (Same floor abreviated to SF to save space.) 
Employee Switch
     VLAN1     |     VLAN2
X X X X X X X X X X X X X X X X
| | | | | | |   | | | | | | | |
S S S S S S S   S S S S S S S T
F F F F F F F   F F F F F F F R
                              U
                              N
                              K


Manager Switch
 VLAN1 | VLAN2
X X X X X X X X
|       |     |
S       S     T
F       F     R
              U
              N
              K
Possible security implications? HTRegz explains in a follow-up post.
We all know that switches segment collision domains, thus making it more difficult to sniff a switch (programs like ettercap are required), unless of course you only want to listen to broadcasts, because switches don't create broadcast domains.

However VLANs do create broadcast domains. A broadcast cannot travel from one VLAN to another. Although I don't see a security use for this, someone with more experience may see something, but it's a thought to put out. Limiting the broadcast domain would keep the users seeing broadcasts to a minimum.

Share your VLAN experiences, tips and recommendations here.

What is AntiOnline?

AntiOnline (AO) is home to many of the most popular network security discussion forums online. Here, participants engage in candid, thought-provoking and enlightening exchanges on security hazards and how to protect your systems against them.

We invite you to join the AO community (it's free!), share your wisdom and learn a few things in the process. Stay tuned as Enterprise IT Planet spotlights the eye-opening discussions and expert participants that have helped make AO the "go to" online resource for network security.