Now that we have configured the external and perimeter networks most people would say they were done. I say we are just getting started. In this article, we will look at setting up a VLAN structure at a main site. We will look at why we would create VLANs and how they can be a major part of our security policy.
Before we start going into VLAN, let’s take a trip in time, and look at the original networks. We would have flat networks covering entire buildings servers and workstations. There would be so many nodes within a segment that broadcast storms would commonly occur. A need to segment the flat network, to break up the broadcast domain, was eventually solved with the creation of Virtual Local Area Networks (VLAN). This allowed a router to create them and for each port on a switch to be assigned a different VLAN. This was a quick high-level overview of the creation of VLANs.
VLANs are created either on a router or a layer 3 switch. VLANs are trunked using IEEE 802.1q tagging to other switches. They are configured like any other layer 3 interface. These days it is commonly configured on a layer 3 core switch. This covers what they are and how they are created.
Let’s look at why, we briefly touched on it to break up broadcast domains. You would also do it to separate servers from workstations, to group users together who need access to common resources, separate services like VOIP or teleconferencing, etc.
Design on implementing can vary from extremely easy to extremely complex, it would all depend on your security requirements and your budget. But some common design concepts I try to work with our:
Do not use VLAN 1 for anything. If a hacker is good he will use this common knowledge to attack your switched network. Use another VLAN for management and only for management.
Put all servers with services requiring Internet connectivity in the same VLAN. You could place your internet connection in this VLAN or have the Internet connection have it own VLAN. But segregate the Internet based servers from your regular data servers. This would be e-mail, IM, web, databases for web resources, CMS, and proxy servers. This is helpful if a worm does breach your network. You can shut this VLAN down to help stop the spread of infection.
Then obviously place production servers that do not require Internet services in their own VLAN.
Group users together by function. What I mean if you have employees that access the same resources, but don’t need access to the other resources. This way we can apply VACLs to increase security. You will find that many departments will have the same requirements.
Now that your VLAN policy is well established, you can start planning your VACLs. Do not place them on your server VLANs. You will want to place them on your user VLANs. My only suggestion to this is carefully plan, test, and document everything. Also, don’t go crazy with them use the KISS method. You can lock resources down using other methods. Cisco has some information for you to look at.