Networking Security and Vlans

How many vlans do you guys run? (Medium size business around 250 end devices/users)
And what rules do you use to allow traffic between them?

I am thinking going from a mainly flat network to something like this

Servers (Vmware/Active Directory)
Management
Security (cameras/card access)
VOIP
HVAC
Printers (accessible by any end user vlan)
WLAN Internal (Company owned devices (Laptops/Desktops) – Can access Server (AD)
WLAN Chromebooks - Company owned devices that only need internet
WLAN Guest/BYOD – Guest isolation – Internet access only

Your Printers, is this network printers that have their own print server capability or regular network printer that need special application to communicate.

I have asked this question, if your printer has that standalone print server capability then you can use that VLAN separation. But if your printer needs special software installed on each computer connecting to it then I would suggest to just place the printer in the same VLAN where your employee computer is because those type of printer will give you headache to configure

In our organization, with a few hundred devices over 50 sites…

Network management VLAN
Unifi management VLAN (mostly WAPs)
Business VLAN for each department (about a dozen of those)
VLAN for HVAC systems
VLAN for Access Control systems
VLANs for CCTV systems (4 of them)
Public VLAN
VLAN for video production
VLANs for SCADA systems and other industrial controls/comms (About half dozen of those)
“press box” VLAN for news media, live broadcasts, etc. (3 ice arenas included in our metro area network)
VOIP VLAN
Internal access Server VLAN
DMZ VLAN (3 of them, one for each of our routable IP blocks)
External access server VLAN
A few dedicated cross-city transport VLANs
Dedicated VLAN for NAS replication
Firewall/Inter-vlan routing VLAN (where all the VLAN routers can forward to each other)

Setup all printers by straight IP address, skip all the autodiscovery, etc. . Pretty much every printer has a “simple” driver available for it if you find the right spot on the manufacturer’s website.

We are currently going through a redesign in the network infrastructure. The former IT “Admin” did run everything in one LAN.
Currently planned

• Client
• Server
• Management (Management Interfaces from Switches, IDrac, ILO, etc.)
• Voice
• Back Up
• IoT Devices
• DMZ
• internal WLAN Clients
• Guest Wifi / BYOD

Clients that connected via VPN and Side-To-Side VPNs are seperated via firewall rules.
I am currently in debate if we should make a separate vlan for printers since we only have 2 big office printers and thats it.

Not trying to sound like a smarta**, but VLANs aren’t security, unless you have a firewall between them. And once you do, separating the clients from the servers and separating everything from the internet is a good start.

VLANs without routing or bridging between them are just isolated L2 networks.

True. But still, VLAN isn’t a security feature (people often mistake it for one). It takes about 5 lines of python code…

Video title is very misleading. It more demonstrated the issues with Dynamic Trunking Protocol more than issues with vlans themselves.

Of course all vlans on a trunk interface is available to the devices connected to that interface , but why would you configure a trunk (static or dynamic configured) to anything other than between switches and access points and routers (firewalls are specialized routers)…and even then only allow vlans that need to use that trunk (i.e. don’t open the firehose to access points, etc)…

I’ve been managing a metro area network (about 75 sites spread out across a City on municipally owned fiber and microwave links) and also the LANs connected to that for about 22 years now…I’ve never had a use case for dynamic trunking, and definitely don’t know why anyone in this forum would be using it, it was a very dangerous default for Cisco switches to have.

Fortunately, VLAN isolation is a core feature for switching ASICs and it is very rare for vulnerabilities in those to break that (assuming correct configuration) - that usually broken in software bridges, IGMP snooping, etc that might occur outside the switching ASIC on some devices (looking at you MikroTik RouterOS), which again why a trunk feeding a device only has the VLANs required enabled on it to minimize the impact of any mis-configurations or vulnerabilities. “Full firehose” trunk configuration should only go between core switches.

The DTP thing is just an example. There are countless ways to attack VLANs.

The whole point of the exercise in the video was to demonstrate that anyone who has physical access to a network (laptop connected to it, for instance), can spoof/mimic a switch or router and advertise itself as a trunk. The switch you are connected to will then happily pass all VLAN traffic to you.

Again, this was just an example, and a very specific one. The point is: Don’t use VLANs as a security feature. VLANs have never been designed to be a security feature, and they just aren’t. It’s super easy to bypass them, sniff them, etc. All it take is script kiddy level of hacking experience and a bit of Kali Linux.

For good security posture, VLANs should be terminated on a firewall. At least those where you cross boundaries between clients and servers, for example (really depends on how the network is designed).

If the port it’s connected to is not a trunk, and not running stuff that “automagically” allows it to become a trunk (like DTP) the connected machine can’t get access to more than when the access port is configured for (and like I said before, it’s a core function of the switching ASICs in the switches). It’s like saying firewalls don’t give you security because you can bypass them using uPNP (amongst many other ways to get through firewalls). Again, it’s demonstrating vulnerabilities with DTP, and not layer two vlans.

Show me an example where someone on a properly setup single vlan access port (so ‘switchport mode access; switchport access vlan xxx’ configuration, all dynamic protocols like DTP and CDP turned off on port, port not on VLAN 1, trunk ports use native vlans separate from any access ports) on a Cisco catalyst/nexus (not rebranded Linksys stuff), Juniper, or similar grade switch has been able jump vlans AT LAYER TWO, without gaining access to switch management (if you can gain access to switch management, it a security issue on the switch management, not the VLAN switching) …

It’s all about proper configuration and keeping security at the forefront when doing anything, and constantly analyzing your configuration. From 22 years experience of running large networks, I’ve never witnessed an exploit on properly configured access ports that has allowed VLAN jumping at layer 2. Similarly at layer 3, many people are able to jump across firewalls also through various routing protocols (uPNP, etc) and do so quite regularly. As a general rule (there are a number of exceptions), don’t use automatic or default configurations on this stuff.

Yes, all my inter-vlan routing occurs at firewalls. I run a large Q-in-Q based network, so deal with LAN vlans inside MAN vlans. Than MAN essentially works as just layer 2 transport, so it is all switched, very little routing at that level, but the LAN vlans all come into the core routers/firewalls for routing and bridging between them …Although now working on migrating the MAN from the QinQ switched system (a minimum budget solution two decades ago) to a WDM system (after modeling and pricing various routed solutions like MPLS, VxLAN, etc.), so that would eliminate the outer tagging and each site would essentially have it’s own physical switchport in the core, so we can really limit vlan availability at each site’s switches

So much to unpack here

Foremost, anecdotal experience doesn’t mean it doesn’t exist. What I am trying to say is, just because you never experienced any security incident with VLANs in your 20+ year career doesn’t mean VLAN breaches don’t happen. In fact, they are well documented.

Here are a few examples:

Very old, but still very much relevant:

Some more examples:

There are countless different ways to exploit VLANs. I agree with you that it is very hard to do on 100% properly configured infrastructure, but the problem is, no infrastructure is 100% properly configured.

The thing is: VLANs were never designed to be a security feature and shouldn’t be used as such.

By the way, there isn’t a single enterprise firewall on the market that would allow UPNP. You find that on consumer grade routers and “firewalls” only.

All three of those examples still exploit DTP, VTP, tag stacking or require trunk access to jump vlans, which non of those should be present on an access port. The dynamic protocols shouldn’t be active on an access port and it should ignore tagged packets on it, and if there is a reason for tagged packets on there (like a voice VLAN), only VLANS that need to be there should be available on the port.

ARP poisioning won’t cause packets handled by a layer 2 switch to jump VLAN, but may cause a router to send traffic out incorrect interface as it simply is a mechanism to map layer 3 hosts to layer 2 addresses so switching works more efficiently, but anything without a layer 3 interface (like a switchport) wont do anything with it, they are just looking at the addresses on the Ethernet frame .

Rouge DHCP servers also won’t cause a jump of VLANs on an access port at layer 2. They could give bad address and routing information out and cause a jump at layer 3…Spanning Tree attack wont cause a VLAN jump on a layer 2 access port either (can cause a lot of other issues though…)

Those are some of the reasons I separate layer 2 and 3 into separate devices. Many of my switches are “layer 3” switches, but they are all configured as layer 2 only devices and routing is handled by routers.

VLANs are roughly the layer 2 switch equivalent to subnets in a router, and very commonly each layer 2 VLAN feeds a layer 3 subnet in a router. Both switches and routers can have many networks operating inside of them, it takes careful configuration to make sure only the desired networks are exposed on each interface, but since all the networks are present at each device, and bad configuration can expose everything.

You are correct, VLANs alone are not security, they are simply a way to segment L2 traffic on a common device or cable. Could one gain a bit of security if each network had it’s own dedicated switch and cabling (and access points, etc)? Likely by a small amount, but the number of way easier vulnerabilities at layers 3+ (including user level social engineering) are likely a greater concern that someone with physical access handcrafting Ethernet packets in hopes of getting lucky before getting caught…However that is not practical to have a stack of dozen+ switches at every IDF and use dozens of strands of fiber (or big bundles of CAT6/7 cable) to MDF, and also need 1 physical router per L2 network (you’re not going to combine them into vlans inside a single router, are you if you don’t believe in VLANs), so it a calculated risk taken for operational efficiency and reliability.

Defense in layers, anything using any type of communications ports, including an HMI, is vulnerable to attack, so mitigation at every layer is necessary

I think we can all agree that a firewall between VLANs/networks is the way to go.

Just going to leave that here, hot off the press, if you will. VLAN hopping through access ports… Video came out yesterday: