Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 212
  • Last Modified:

Several Production VLANS and Security

My company is researching the splitting of our single production VLAN into 2 VLANS.  The primary reason for this is, in theory, security.  However I'm finding it hard to see how security will be improved with the exception of a single, improbable, vulnerability; a broadcast storm.  Granted, a broadcast storm which, effectively, could make a switch perform much like a hub and allow all traffic on the VLAN to be "sniffed".

So Both VLANS (let's just say VLANA and VLANB) will be fully routed to the same locations WITH NO FIREWALL BETWEEN THEM.

What are my security benefits of doing this?  To me, it really just seems like we are changing the IP Subnet for a subsection of machines without realizing any real security benefit, except for the one previously mentioned.

Thoughts?  Are there any other SECURITY benefits?  (Let's not get into performance or manageability.  I'm really JUST looking for security ramifications.

Thanks in advance!
0
espnetadmin
Asked:
espnetadmin
2 Solutions
 
tolinromeCommented:
From what you're saying I agree. If the port is trunked and no firewall between them there really is no security per se. If the vlans A and B are on different switches and routed to a firewall then ok, depending on the setup. But with no firewall in between I don't really see a security benefit. Some people discourage vlan for security reasons because of vlan hopping - http://en.wikipedia.org/wiki/VLAN_hopping.

Also Just because your logically separating the network doesnt mean its any "safer" since physically all data from both vlans are going over the same network (cables). Most companies implement vlans for the reasons you mentioned above ( performance or manageability). Doing it for security doesnt mean much to an attacker.
All that being said, you can really harden down a switch and its ports, but using a firewall is for security and a switch...well, for switching and routing, not security,
0
 
espnetadminAuthor Commented:
Yes, I agree.  I'd love to see a few more responses...  Gotta have proof to show to the Execs.
0
 
MikeCommented:
I agree, if you are just routing everything without a firewall or any other security device, it's pretty pointless. Sounds to me like someone read something on Google saw the S word and took it out of context that VLANS improve security.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now