• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 81
  • Last Modified:

How secure is segmenting the network with VLANs if I configure Inter-VLAN routing?

Hello All,

Regarding security, how good would be to segment my network by creating VLANs if I create Inter-VLAN routing?
In case of a worm infection, wouldn't it propagate to all my VLANs anyways if I have inter-VLAN routing configured?
  • 3
2 Solutions
Dr. KlahnPrincipal Software EngineerCommented:
Correct.  If inter-VLAN routing is configured and active, a worm can and probably will find a way to move.

The only thing that stops a network-propagated infection from finding another victim is an air gap, and now not even that is an absolute safeguard.

btanExec ConsultantCommented:
Setting VLAN is a mean of logical segregation which is a good security practice. The intent is to isolate and contain the threat within the VLAN. So you are already on the right track.

For inter-VLAN routing, it is a necessary feature. You have to be careful and be very clear of the traffic that is allowed to and fro. In many cases there is the need to isolate VLANs or restrict access between them, the usage of IP Access lists is mandatory. These traffic need to be inspected and governed through a proxy filter or (more commonly) a network firewall that perform stateful and deep packet inspection. NIPS are also deployed to augment the filtering to detect malicious packet carried in transit traffic through the VLANs.

Specific to the IP Access lists, it  should be created in such a way, that they allow the normal flow of traffic between VLANs, but do not expose the networks that need to be protected. Once the Lists are created, they are applied directly on the VLAN interface of the core layer-3 switch.   All traffic from the designated VLAN attempted to get through pass to other VLANs will be denied according to the Access Lists, making sure the core network is not exposed.

So assume one of the machine in the VLAN is infected, the machine will attempt to scan the open ports for file shares (137, 139, 445) and remote services (3389, 389) such that it can move laterally. Its main intent is to search for the domain controller or file server which will have valuable data that can be siphon off or be sabotage (like the case of ransomware). So filter and access list must be monitored continuously and review regularly to avoid unnecessary "opening" make available through such VLAN routing rules.

I also foresee common inter VLAN routing is to accommodate Guest VLAN that provides free Internet access to your company visitors. In such instance, you likely to permit DNS and DHCP requests, and then deny access to all VLANs. You need to make sure this can be checked and verified constantly. The Guest machine can be infected and introducing malice so being restrictive reduces the exposure.

Overall, malware can get through as long as there is a open rule for the allowed service. It is up to how smart and determined the attacker is to deploy such malice to scavenge through the many defense layer setup, it is non-trivial if you have the restrictive rules in place - exposure is much reduced
btanExec ConsultantCommented:
For author advice.
btanExec ConsultantCommented:
No further inputs received.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now