Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 303
  • Last Modified:

VLAN use

Can I ask some basic questions about VLAN’s? Not a network admin myself, but is their main purpose for security, or if not what other benefits?  And is it typical you’d have a VLAN for your database servers to keep them separate from your workstations and who can potentially try and gain unauthorised access with say targeting a weak password/unpatched exploit in the OS tier?

And are there any commands or cheap/free tools to see how your VLAN’s have been configured and which hosts are within each VLAN?
0
pma111
Asked:
pma111
  • 2
  • 2
2 Solutions
 
abbrightCommented:
Simply speaking: VLANs partition your big ethernet network into smaller virtual networks. Purposes for doing so is administrative partitioning, security (which certainly is one of the main reasons) and network traffic (the broadcast traffic is only visible within one vlan).
When you put your db-server in a separate vlan from your workstations you need a routing instance to connect these. This typically will be firewall server which can scan and filter the traffic between the two networks and thus increase security.
0
 
Red-KingIT ManagerCommented:
Hi,

A VLAN segregates your network in a couple of different ways.
In a standard static configuration (i.e. no Auto vlaning) specific ports on your switch are configured to be in a VLAN, so you've essentially physically segregated your network. You must plug into a particular port to be in a particular VLAN.
A VLAN should generally coinside with a subnet i.e. one subnet per VLAN. This is not essential but it can help you avoid some headaches. When you do this you logically segregate your network at layer 2, you've broken up the broadcast domain. In order to talk to another VLAN you have to go through a device that can route between the VLANs. Typically a layer 3 switch or a router.

Lastly configuring your VLAN on the switches means that you move a lot of the processing from your Computers/Servers to the Switches. The result of this is obviously the (minor) benefits in processing power but it also means less data flowing across the wire to devices that don't need it. i.e. in a standard flat IP network the PC/Server receives all packets and decides whether or not the information is for it. In a VLAN network the Switch decides who should see the packet.

So a VLAN can be seen to provide more security but only in a physical sense really. If you're router is configured to allow traffic between VLANs then all you're doing is breaking up the broadcast domain.

I hope that helps somewhat,
0
 
pma111Author Commented:
Thanks, are tehre any free ways/tools/commands of seeing how the vlans are segmented at a top level, and which hosts are in which vlan?

Is it common to have a VLAN for all your sensitive database servers? Or is that pretty rare? When you lump all servers/workstations in the same domain so all can see/connect to all, is that the context of a "flat network"?
0
 
abbrightCommented:
In order to see which vlans are in use you need to check your switch-configuration.
It is common to have separate vlans for sensitive servers so that you can control the traffic to them using a firewalling router.
If you have all machines in one network this is called a flat network and it means you have no chance to control your network traffic using a firewall.
0
 
Red-KingIT ManagerCommented:
As far as free tools go, if you have a network management tool such as Cisco's free Network Assistant you can get some of that information. If you've set up an IP subnet for each VLAN then Solarwinds free IP address tracker  could be useful.

Yeah, that would be a flat network. Generally a flat network is one which contains switches i.e. all at layer 2. When you add VLANs you need a router which works at layer 3 so you're no longer flat as you're working in multiple layers.

It would be quite normal to put sensitive servers on a seperate VLAN as it allows you to control who can access the devices using your layer 3 routing. If there is a firewall capability on the routing device you can also protect the sensitive servers by port but at this stage your security has gone far beyond the scope of a VLAN.
0

Featured Post

Become an Android App Developer

Ready to kick start your career in 2018? Learn how to build an Android app in January’s Course of the Month and open the door to new opportunities.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now