VLANs are an essential part of nearly every enterprise network. In this video, you’ll how VLANs work and how VLANs are used to segment and organize our networks.
<< Previous Video: Firewall RulesNext: Secure Router Configuration >>
If you’ve done a lot of networking, then you’ve certainly done a lot of VLAN segmentation. These virtual LANs give you a way to separate out your IP subnets into logically separate areas. Even though it’s all running on a single switch, none of those devices on the different VLANs can communicate to each other unless there’s a router involved. From a networking perspective, we’re usually doing this because we want to separate out things from an IP addressing perspective.
From a security manager’s or a security administrator’s perspective, we’re often doing this so that we can separate out different parts of the organization. You might want to put the HR department on one VLAN. You might want to put the shipping and receiving department on a completely different VLAN. So now you’re allowing your firewall, or your router, or your firewall that is acting as a router, to be the gatekeeper, to prevent the HR people from directly communicating to the folks in shipping and receiving and vice versa. There’s maybe sensitive information on the HR servers, and that would give us yet another way to provide some control over the traffic going back and forth over our network.
We’re usually grouping people together in these VLANs by function. It doesn’t have to be that way, but that’s usually how it turns out– the finance department, the executive team, the HR department, et cetera. You don’t want to have people, though, separated too far away from the resources they need to use. If there’s a central email server, you want to have centralized access for that because everybody’s going to be communicating to that email server. You don’t want to put the email server on the HR department’s VLAN, and then force everybody else to come into that VLAN to have access to that particular resource.
These VLAN communications and automatically putting people into different VLANs is very often integrated with our Network Access Control. You recall the last video we did, we talked about getting access to the network using 802.1X. Once you get your credentials and you’re authenticated on to the network, your Network Access Control system can be set to automatically put you in the correct VLAN. It doesn’t matter what switchport you happen to be a plugging into. That’s pretty flexible, and from a security perspective really provides us with the way to make sure that we’re keeping people segmented onto the VLANs that are very specific to their job function.
Without any way to manage where somebody’s plugged in on a VLAN, it becomes a little more difficult to manage. If all we had was a single switch and everybody on that switch was on one VLAN, we would not only have to logically separate, but really physically separate everybody on to their own switch. You would have red VLAN on one switch, the green VLAN on another switch, and the blue VLAN on a third switch. And if we wanted to communicate between those, everybody would go up to a router and then be sent down to the VLAN they wanted to talk to.
With VLAN management, we can mix and match. We can have different VLANs on different switches. We can assign, either automatically or manually, individual ports to be members of certain VLANs. We can have a port for the green VLAN here. On another completely different switch, a port for the green VLAN here. And because we’re building these communication links between the two switches– called trunks– we’re able to send green VLAN information between all of those devices, and blue VLAN information between all of those devices without having to route anything.
If the green VLAN did want to talk to the blue, they would need to route between those to get back, so there are some network requirements to think about how you would deploy this. But from a security perspective, it gives you a lot of flexibility on where you put people logically in the environment and still protect those very critical resources from other departments.