VLAN - Segmentation and Security

A virtual local area network (VLAN) is an isolated network, just without the need for network devices to be located nearby. This physical freedom lets groups of devices be assigned to specific VLANs – allowing network engineers to build a more secure, segmented topology.

With VLAN segmentation, bad actors are limited only to the resources and privileges associated with a compromised device’s corresponding subnet. VLAN segmentation demands its own security considerations, and adequate care and protection must be applied to inter-subnet operations.

Get a Demo Read the Frost & Sullivan Report

VLAN Network Segmentation vs SDN Network Segmentation

VLAN was one of the first ways of isolating network segments, and is one of the simplest.

To build a better picture of how VLAN works, let’s compare it with a more modern form of network segmentation approach – Software Defined Networking (SDN).

VLAN Segmentation

Here’s how VLAN segmentation works.

Connecting to a VLAN

When a host wants to connect to their VLAN subnet, the device’s request travels via the internet to a router, which then sorts the request and sends it to the relevant switch.

Ports & Switches

This switch ferries data to and from the corresponding network segment.

Controlling which users get to access which VLAN is key to secure network segmentation. In a lot of organizations, access is managed by assigning specific VLAN membership to ports or MAC addresses. These switches then only permit data to be sent and received to the correct ports, letting network administrators enforce VLAN access across an organization.

VLAN Tagging

Ports aren’t the only way, though, and single-VLAN connections can also be achieved with VLAN tagging.

This adds a small header to the Ethernet frames being sent; when transferring these packets, the switch double-checks the tag, preventing any data leaking to other VLAN subnets. Even better, VLAN tags are Layer 2 –  separate from the IP address – devices can be connected up to the same VLAN structure, even if they’re in different IP address ranges.

While scalable and very flexible, switches remain integral to VLAN implementation. But this physical form of network segmentation strategy is no longer the only option.

Software Defined Networking (SDN) Segmentation

SDN completely abstracts the control plane away from physical hardware. This means that, rather than relying on physical segmentation, SDNs can use logical segmentation to achieve a similar effect.

The Distinction

In regards to network segmentation, however, the important distinction lies in how VLAN splits static groups of devices into physical subnets, whereas SDN is a wider approach that can manage network groups, devices, and workloads’ network access from a central control panel.

Benefits of VLAN segmentation

The main benefit of segmenting entire networks is that it limits lateral, or East-to-West, movement.

This explicitly restricts the movement that malicious actors and malware could employ when attacking your organization. Alongside this, VLAN segmentation offers a few other advantages, unique to its simplicity.

Improved Network Performance

Within a LAN, all devices are constantly sending frequent broadcasts, communicating and locating network resources. When LANs scale in size, this background traffic can quickly become problematic.

VLANs cut network congestion by simply chunking a larger network up into relevant pieces.

In doing so, VLANs reduce the demands on each device to respond to these endless background queries, and therefore let them solely devote resources to the relevant traffic. Finally, from an admin’s perspective, it’s possible to restrict or set limits on each subnet’s bandwidth usage – helping moderate the use of paid-for resources.

Easy Scaling

As an organization grows beyond a simple LAN into VLAN territory, it’s important to choose an architecture that can scale far beyond into the future. VLAN is well-suited for further growth, as new subnets can quickly be set up without having to overhaul the wider structure.

Simplified Network Administration

By grouping devices in more strategic ways, network administration can benefit from significant streamlining. To achieve this, VLAN infrastructure supports hands-on management with the management VLAN. This is VLAN 1 by default, and remotely monitors the devices in each subnetwork via SSH, Telnet, and syslog.

With a myriad of advantages over typical LAN architecture, VLAN is a highly accessible first step toward more secure architecture.

Disadvantages of VLAN

With its accessibility comes a number of security and performance concerns, however.

Not Inherently Zero Trust

With each device and user having a group VLAN, the threat of an attacker breaking in and gaining access to every corporate secret is diminished. However, the risk is not gone for good – every device within the VLAN is still assumed to be trustworthy.

This means that, for attackers, some roles become inherently more valuable to target – DevOps deserving an honorable mention for the malicious attention they receive.

When compared with tighter micro segmentation approaches, VLAN’s relatively basic design means it’s unable to react to changing segmented network conditions and device behavior without further tooling.

Non-Universal Segmentation

While VLANs absolutely offer a way to segment a network, their suitability for larger organizations begins to degrade when you consider that they segment a single physical network.

So – if you have two offices, both with their own IT teams and separate networks – VLAN segmentation is unable to handle subnets that both IT teams need joint access to. VLANs are built to separate network traffic, after all – if you wanted to allow access between two VLANs, you would need inter-VLAN routing, which is inherently higher-risk, and requires regular reviews of inter-VLAN access control lists.

Can Introduce Vulnerabilities

The fact that VLAN infrastructure is so well-established means that attackers have decades’ worth of experience leveraging attacks against it. This opens up the risk of any slight mismanagement leading to VLAN hopping.

A spoofed traffic from VLAN 1 grants malicious access to trunk ports, and hence to the rest of the network segments.

Build Future-Proof Topology with Check Point

Zero trust is more than a corporate buzzword: it’s a security philosophy that restricts each device to the individual systems and resources they need. Macro Segmentation such as VLAN subnets are a great first step to implementing this approach, but it’s vital to introduce further protection around each subnet.

For on-premises deployments, Check Point’s next-generation firewalls (NGFWs) grant full visibility and control over the traffic and requests flowing into and between subnets. With high-bandwidth throughput options, the NGFW’s deep packet inspection allows for malicious requests to be caught and stopped in the nick of time. Find out how with a demo here.

Cloud-based setups, on the other hand, need the network virtualization and security offered by CloudGuard Infrastructure as a Service (IaaS). See how automated security can be implemented across the public, private and hybrid cloud, and begin actioning zero-trust network topology today.

Get Started

Quantum network security

Zero Trust Security Solution Brief

Zero trust security solutions

Related Topics

What is Zero Trust?

What is SASE?

Network segmentation

What is a Next Generation Firewall (NGFW)?

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK