Several Production VLANS and Security

Posted on 2014-11-24
Medium Priority
Last Modified: 2014-11-26
My company is researching the splitting of our single production VLAN into 2 VLANS.  The primary reason for this is, in theory, security.  However I'm finding it hard to see how security will be improved with the exception of a single, improbable, vulnerability; a broadcast storm.  Granted, a broadcast storm which, effectively, could make a switch perform much like a hub and allow all traffic on the VLAN to be "sniffed".

So Both VLANS (let's just say VLANA and VLANB) will be fully routed to the same locations WITH NO FIREWALL BETWEEN THEM.

What are my security benefits of doing this?  To me, it really just seems like we are changing the IP Subnet for a subsection of machines without realizing any real security benefit, except for the one previously mentioned.

Thoughts?  Are there any other SECURITY benefits?  (Let's not get into performance or manageability.  I'm really JUST looking for security ramifications.

Thanks in advance!
Question by:espnetadmin

Accepted Solution

tolinrome earned 1000 total points
ID: 40463125
From what you're saying I agree. If the port is trunked and no firewall between them there really is no security per se. If the vlans A and B are on different switches and routed to a firewall then ok, depending on the setup. But with no firewall in between I don't really see a security benefit. Some people discourage vlan for security reasons because of vlan hopping - http://en.wikipedia.org/wiki/VLAN_hopping.

Also Just because your logically separating the network doesnt mean its any "safer" since physically all data from both vlans are going over the same network (cables). Most companies implement vlans for the reasons you mentioned above ( performance or manageability). Doing it for security doesnt mean much to an attacker.
All that being said, you can really harden down a switch and its ports, but using a firewall is for security and a switch...well, for switching and routing, not security,

Author Comment

ID: 40464887
Yes, I agree.  I'd love to see a few more responses...  Gotta have proof to show to the Execs.

Assisted Solution

Mike earned 1000 total points
ID: 40465766
I agree, if you are just routing everything without a firewall or any other security device, it's pretty pointless. Sounds to me like someone read something on Google saw the S word and took it out of context that VLANS improve security.

Featured Post

Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Spectre and Meltdown, how it affects me and my clients?
A discussion about Penetration Testing and the Tools used to help achieve this important task.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question