How secure is segmenting the network with VLANs if I configure Inter-VLAN routing?

Hello All,

Regarding security, how good would be to segment my network by creating VLANs if I create Inter-VLAN routing?
In case of a worm infection, wouldn't it propagate to all my VLANs anyways if I have inter-VLAN routing configured?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dr. KlahnPrincipal Software EngineerCommented:
Correct.  If inter-VLAN routing is configured and active, a worm can and probably will find a way to move.

The only thing that stops a network-propagated infection from finding another victim is an air gap, and now not even that is an absolute safeguard.
btanExec ConsultantCommented:
Setting VLAN is a mean of logical segregation which is a good security practice. The intent is to isolate and contain the threat within the VLAN. So you are already on the right track.

For inter-VLAN routing, it is a necessary feature. You have to be careful and be very clear of the traffic that is allowed to and fro. In many cases there is the need to isolate VLANs or restrict access between them, the usage of IP Access lists is mandatory. These traffic need to be inspected and governed through a proxy filter or (more commonly) a network firewall that perform stateful and deep packet inspection. NIPS are also deployed to augment the filtering to detect malicious packet carried in transit traffic through the VLANs.

Specific to the IP Access lists, it  should be created in such a way, that they allow the normal flow of traffic between VLANs, but do not expose the networks that need to be protected. Once the Lists are created, they are applied directly on the VLAN interface of the core layer-3 switch.   All traffic from the designated VLAN attempted to get through pass to other VLANs will be denied according to the Access Lists, making sure the core network is not exposed.

So assume one of the machine in the VLAN is infected, the machine will attempt to scan the open ports for file shares (137, 139, 445) and remote services (3389, 389) such that it can move laterally. Its main intent is to search for the domain controller or file server which will have valuable data that can be siphon off or be sabotage (like the case of ransomware). So filter and access list must be monitored continuously and review regularly to avoid unnecessary "opening" make available through such VLAN routing rules.

I also foresee common inter VLAN routing is to accommodate Guest VLAN that provides free Internet access to your company visitors. In such instance, you likely to permit DNS and DHCP requests, and then deny access to all VLANs. You need to make sure this can be checked and verified constantly. The Guest machine can be infected and introducing malice so being restrictive reduces the exposure.

Overall, malware can get through as long as there is a open rule for the allowed service. It is up to how smart and determined the attacker is to deploy such malice to scavenge through the many defense layer setup, it is non-trivial if you have the restrictive rules in place - exposure is much reduced

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
For author advice.
btanExec ConsultantCommented:
No further inputs received.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.