How to segment a network using VLAN
Technical Director at IntegraSky, a Mikrotik trainer
The origins of VLAN technology
Most LANs originate from Ethernet, a technology that appeared back in 1984. In those days, bus network topology was applied: one wire to which devices were linked by branch connections.
The bus topology had limitations: The length of the wire could not exceed 200 m and the distance between the branches had to be at least 20 cm. Up to 100 devices were placed on one bus. These limitations were not a problem because moderate quantities of devices were used and engineers did not have to think about how to design a network properly.
However, over time, new devices appeared, and now several thousand of them could be in one network. This started to cause problems with the data transfer rate. VLAN technology was created to reduce broadcast traffic that affects network speed.
VLAN allows you to divide the network into segments, and in the event of a broadcast storm or other problems not the entire network, but only part of it may collapse.
How to segment a network using VLAN
Each network segment is a logical unit that is defined individually. For example, in a coworking space, you can divide VLANs by office or floor, while the network in a production company by department. Nevertheless, the main principles of segmentation are security and economic feasibility.
1. Determine which company departments need data protection
Find out if your organization has data that should not be freely distributed. In particular, it is necessary to separate accounting computers into a separate VLAN, if confidential information is processed on them, the leak of which will damage the organization. If there is no danger, it is not necessary to segment the network. Sometimes it is also worth segmenting the network within a department if there are junior and senior specialists with different levels of access to information in the team.
2. Identify units with high downtime costs
If 100 super-profitable managers work in the sales department, even an hour of downtime becomes a big financial loss. In this case, it is worth dividing the network into small groups within the department.
3. Separate devices by functionality
Some devices start a broadcast or just flood into the network. This is most often the case with Chinese video surveillance equipment, printers when their service life is coming to an end, or some computers if they have been damaged by the power grid. For example, if overvoltage is applied to the equipment, problems with the motherboard may occur and the device will start sending frames to the network.
Before designing a network, divide the equipment by functionality. For medium-sized companies with 100-200 workstations, I advise such segmentation as the main one.
Video camerasOften cameras may have unreliable firmware that is easy to crack. Therefore, it is better to separate them into a separate network.
PrintersPrinters can be a source of data leakage. For example, an accountant can print financial information, which should not leave the department, on a printer in the marketing department.
WI-FIWi-Fi clients need to communicate with the Internet, printers and servers, but not among themselves. Therefore, it is best to isolate Wi-Fi subscribers, so there is no data transfer between them. This will increase the network speed.
PhonesPhones should have access only to the telephone exchange and not to the Internet.
Common attacks that VLAN protects against
Using VLAN increases security — a single segment of the network is harder to crack, but even if a hacker attack succeeds, not the entire network will be compromised, but only its part.
Segmentation protects the infrastructure from popular attacks: ARP-spoofing, DHCP-spoofing, DHCP-starvation, CAM-table overflow, phone line attack.
ARP-spoofingAn attacker's device sends an ARP reply with a spoofed MAC address. The purpose of the attack is to change the correspondence between IP address and MAC address to be able to intercept traffic between hosts.
DHCP-spoofingA fake DHCP server is created to force other devices to use false DNS and WINS servers. As a result, an attacker can create phishing sites, obtain unencrypted passwords and access confidential information.
DHCP-starvationAn attacker's device sends multiple requests for an IP address from a DHCP server until the pool of IP addresses is exhausted. As a result, the server is unable to serve the clients and the whole network collapses.
CAM-table overflowRequests with non-existent source MAC addresses are sent to the switch. Because of this, the switch's MAC address table is overflowing and it starts sending broadcast traffic to all devices in the network to continue working.
At this point, an attacker can intercept data throughout the network. In addition, network performance is severely degraded.
Phone line attacksAn attacker can hack into the telephone exchange at the weekend when employees are not in the office and make a call to Cuba. The Cuban operator will bill the company and then hand over some of the money to the attacker.
This fraud scheme gives the offender easy access to the money. It is also less risky compared to the theft of confidential data — the criminal does not have to think how to sell information without being caught.
Errors on VLAN segmentation
Security issues are not thought through
I go to offices that spend tens of thousands of dollars on IT per month because they are deployed in clouds. If you ask the employees of such companies about how their network is set up, they will answer: “We don’t know. We only have Wi-Fi and wall sockets. In case of a fault, we will grab our laptops and head for the nearest café”. This is a classic situation where the company does not think about network security or its setup.
Insufficient segmentation of the network
It may happen that the network is not segmented, while there are thousands of devices in it. Such networks can work fine for a while, then there is an accident, and the entire infrastructure collapses. Business processes in such companies depend on how fast the engineer can run and pull wires. Interchangeability of personnel is also reduced. If a new employee comes to the company, it will be difficult for him/her to understand the location of sockets and switching equipment.
The network is excessively segmented into small VLANs
In small companies, an engineer is often bored without interesting tasks. Then he/she starts to learn: set up experiments and create very small network segments. As a result, 30 VLANs are created for 30 users. Eventually, the network of a small company has a topology like that of a large organization. For some time it may not affect the business: printers will still print and Wi-Fi will distribute the network.
However, as soon as an engineer wants to leave the company, problems will arise. For example, when you install a new computer, it will turn out that it is not visible to neighboring devices. The engineer will find the switch password written on a piece of paper and will see many settings. It will be difficult for an unprepared person to deal with them.
Network segmentation should not be paranoid: it is not reasonable to create a large number of small VLANs.
Tips: how to avoid network segmentation errors
- Analyze your company's business processes and identify where data leakage is a threat to your business. Use VLAN to fence off the departments you want to protect.
- If employees within the same department have different levels of access to data, they should be delimited.
- Consider the economic feasibility of segmentation. Allocate VLANs for departments with high downtime costs.
- Divide the network by device functionality: Wi-Fi, phones, cameras, printers, computers.
- If the network is organized spontaneously, eventually it will lead to an accident. It will take a long time to eliminate it. Even if you use cloud services, do not let the issues of fault tolerance take care of themselves.
- If the network is not segmented, this reduces fault tolerance: In case of an accident, the entire infrastructure will be affected and identifying the problem will take a long time.
- Excessive segmentation is equally harmful: do not create a VLAN for a single device. This complicates network configuration and reduces staff interchangeability similar to complete lack of segmentation.
DCImanager for easy VLAN management
The ability to work with switch commands is usually required to configure VLANs. DCImanager platform allows you to manage VLAN on equipment by different vendors directly from the interface. The platform will find VLANs created on the device automatically. With DCImanager, in just a few seconds you can:
- create a new VLAN;
- add a comment to an existing VLAN;
- change the VLAN members;
- configure the trunk port.
- set the Native VLAN.