Switch VLANing issue.

[Jeff Tan]

I have a 48 port POE switch,

5 core server are connect into it and in Vlan 1

i have 20 office computer connected to it in vlan2

and 2 AP each suppoert up to 20 user each in vlan 2

is my design secure? or do i need to get a smaller swtich to hold my server in vlan 1

[+BudMan MVC]

secure from what standpoint? Just putting devices in different vlans does not make it secure? What ACLs do you have between the vlans?

From the info you have given all that can be assumed is broadcasts will not be seen between vlan1 and vlan2 ;)

[Jeff Tan]

ok..i will go into more details,

basically....

i have 5 server, 1 of them is a file server which store office files...

the 20 office computer has are able to read/write to a certain directory (eg . Office Doc) in D: drive

but not able to change any setting on this server.

the other 4 server are mail sever and web server etc..

putting them in seperate vlan is not allowing the user to ping or access the server. including the 40 user that are connected wirelessly.

now i wish to include 10 address space(wireless) for guess which only allow browsing of http and nothing else. <--how should i setup this

and putting them all in same switch but in diff vlan, how secure are information is kept?

just like what u said broadcasts should not be seen on different vlan

lets say vlan 1 for server

vlan 2 for users

vlan 3 guess network

[+BudMan MVC]

Again just putting things in vlans does not prevent access.. Unless you don't route between the vlans, which then how do the users access the servers? Kind of pointless to have servers that users can not access.

So do you have a firewall routing traffic between the vlans? Or is the switch just routing intervlan traffic - if so what acls are you putting into place?

You clearly stated "the 20 office computer has are able to read/write to a certain directory" So you must be routing traffic between the vlans, so how are they now secure?

I think you misunderstand what a vlan is, a vlan is just another network segment. What is your security device between them? Firewall, just acls on the switch. What is the exact model of switch, is it layer 4?

If all you have done is create 2 network segments and are now routing traffic between them - all you have done is create 2 different broadcast domains to limit the broadcast traffic the servers will see ;)

If you are not routing traffic between the segments -- how do the uses or guests access your servers services?

[+PeterUK MVC]

Any computer or server needing to access each other needs to be on the same VLAN.

Any computer or server not needing to access each other can be put in a different VLAN.

[sc302 Veteran]

Any computer or server needing to access each other needs to be on the same VLAN.

Any computer or server not needing to access each other can be put in a different VLAN.

This is not true. You can have servers and computers on as many vlans that you want, it is the routing (or layer3) that needs to link them together. Most managed switches are capable of layer 3 these days but there are quite a few that do not and because of this makes vlaning a useless feature on those switches (IMO anyway).

[+BudMan MVC]

^ exactly

The OP has not given enough details for a discussion of any sort of security. Since he states his servers are on 1 vlan, and his users are on another - I have to assume he is routing between them or how would they access the server their files are on?

Now maybe that is the OP issue, maybe he created 2 vlans and he has no routing between them? Yeah that would be secure ;) but kind of useless in accessing user files stored on the server..

If he is just routing between the vlans - then no there is no security by just having the devices on different segments/vlans.. What is handing the routing? Is it the switch just doing intervlan routing.. Unless the switch is capable of acls again we don't have any security.

Now if he has a firewall that is doing the routing between the segments - then sure he could say you can only access IP on server vlan via port 80, or via smb/cifs to different IP in the server vlan from the users/guest vlan.

Need more info from the OP to continue this discussion.

[+PeterUK MVC]

This is not true. You can have servers and computers on as many vlans that you want

Your saying servers and computers can be on VLAN 1,2,3,4....... even for the same servers and computers I'm not talking about that for the first line yes you could do that but not the second line which is a server to be on VLAN 1 only and a computer not to be on that same VLAN 1 but to be on VLAN 2 only.

VLAN can be flawed even without mirroring in that VLAN 1 is linked to VLAN 3 and VLAN 2 is linked to VLAN 3 with a MAC that is the same in VLAN 1 and VLAN 2 so that when traffic is received by VLAN 3 its sent to a MAC thats in both VLAN 1 and VLAN 2. That shouldn?t happen but it does because the VLAN is flawed in not sending it to the MAC with the lowest VLAN ID of course different IP's in the two VLAN with the same MAC is not a problem if the routeing table does MAC & IP but even then it can still happen. Which is why its not secure because no one put the option in for VLAN switch or VLAN hub mode per port as part of the VLAN design.

But all that is just the reason why VLAN is not secure.

[+BudMan MVC]

PeterUK sounds like your taking about vlan hopping or attacks against vlans... Sure there are attacks that could allow you to hop vlans.. Now is the switch he is using open to some of these attacks? Not sure since he has not given the details of his switch.

Sure there are mac flooding attacks, there are vlan tagging attacks, there are multicast attacks, encapsulated attacks -- lots of attacks that could be used to hop a vlan or break the switch to bleed traffic between the vlans. Depends on the switch being used how secure it is against such attacks.

But generally speaking you have to assume that traffic between vlans is isolated, are we talking DOD secure or just how companies do business?

Is that what the user is asking? Should he use physical switches vs vlans so that there is a physical separation between the segments? I really am not clear to what the OP is after. But I can tell you with most companies vlans are highly used and considered secure.. Now what might be required in a DOD or government network -- they might not allow just vlans and require physical network segments?

From the info given I would be more worried about using wireless AP on the same vlan/segment as the users than being worried about only vlan separation between his users and his servers.

[sc302 Veteran]

never stated vlans in itself was secure. It really doesn't matter what vlan servers are on, in many instances the vlans are quite open. There are other things that should be added into the network to make your network secure. Install a NAC appliance for instance would make your network pretty secure, well it will keep out unauthorized equipment from attaching to your network anyway, this would "fix" your vlan issue.

http://en.wikipedia.org/wiki/Cisco_NAC_Appliance

[+PeterUK MVC]

The OP wants isolated networks but 1 of the 5 servers is a file server which store office files which has to be on the same VLAN as the 20 office computer with the 2 AP by the looks of it.

[sc302 Veteran]

The server doesn't have to be on the same vlan, but it does have to be on an accessible vlan.

server 1 can be on vlan2 and workstations can be on vlan5, vlan2 can access vlan5 and vice versa...provided you have a layer 3 switch or something doing some sort of bridging/routing.

[+PeterUK MVC]

The server doesn't have to be on the same vlan, but it does have to be on an accessible vlan.

server 1 can be on vlan2 and workstations can be on vlan5, vlan2 can access vlan5 and vice versa...provided you have a layer 3 switch or something doing some sort of bridging/routing.

Because your bridging which is nothing to do with vlan2 can access vlan5 and vice versa it is because of bridging. I doubt bridging is needed in this setup any way.

[sc302 Veteran]

If any server is going to be accessed from any other vlan, you would need to do bridging or you would need to have a second nic in the server attached to the other vlan.

[+PeterUK MVC]

If any server is going to be accessed from any other vlan, you would need to do bridging or you would need to have a second nic in the server attached to the other vlan.

Whats the difference between accessing the server on a difference VLAN by bridging then accessing the server on the same VLAN without bridging?

Your accessing the server either way.

[grunger106]

Any computer or server needing to access each other needs to be on the same VLAN.

Any computer or server not needing to access each other can be put in a different VLAN.

Machines in different VLANs can communicate, it all depends on the ACLs on the device.

It wouldn't be bridging on a L3 switch / router it would be InterVLAN routing.

You don't need two NICs either, you can have a server with a single NIC in VLAN30 which is accessible from VLAN10 and VLAN20, but still have VLAN10 and 20 unable to access each other.

You would have rules allowing traffic from VLAN10 to VLAN30 and VLAN20 to VLAN30, but with an explicit deny rule on traffic from VLAN10 with a destination in VLAN20 and VLAN20 with a destination in VLAN10

[sc302 Veteran]

One requires the proper hardware on the network the other requires the proper hardware in the server.

[grunger106]

I tend to do this kind of stuff on a single NIC with port tagging and a 'router on a stick' at L3.

[sc302 Veteran]

I haven't seen a switch allow you to have multiple untagged vlans to a port. You can do trunking but you would need an os that would handle that. Then yes you could do that with a tagged port.

[+PeterUK MVC]

One requires the proper hardware on the network the other requires the proper hardware in the server.

No thats side stepping question bridging breaks VLAN thats the only reason a server on a difference VLAN can be accessed be another VLAN is by bridging even without VLAN you can access the server by bridging.

[sc302 Veteran]

Not exactly. You want to keep the one server accessable to both vlans. How do you do it? Bridging the vlans together or by having multiple nics with each nic in a different vlan.

[grunger106]

I haven't seen a switch allow you to have multiple untagged vlans to a port. You can do trunking but you would need an os that would handle that. Then yes you could do that with a tagged port.

Try this - 24 Port Switch

P1-10 Untagged Members of VLAN10

P11-22 Untagged Members of VLAN20

P23 - Untagged Member of VLAN30

P24 Tagged Member of VLAN 10,20,30

P24 into a VLAN tagging aware router, in my normal case a Cisco or Zyxel USG series.

[+BudMan MVC]

How and the hell did bridging come up? I doubt the user is doing any bridging..

I would wait to hear back from the OP before any continued discussion. Unless you feel you understand what the user is asking? I am not clear what he wants. Now that I reread what he posted, he might just be asking if vlans in general are secure enough - or should he break it out to a physical switch.

Comes down to what security policy your trying to adhere too -- yes in day to day businesses vlans are more than enough for separation. Keep in mind that yes their are attacks for hoping vlans, etc. But generally speaking your fine, we run multiple customers traffic over switches with just vlan isolation between the segments.

My point was that if you route traffic between the vlans - then vlans are not the security barrier, that would be where you route between them.

[sc302 Veteran]

Is bridging not the term when connecting two networks together. In essence connecting vlans together (whether it be via a router or internally on a switch) is a form of bridging although that term really doesn't mean a whole hill of beans in today's networks. Dig deep to old school days.

Try this - 24 Port Switch

P1-10 Untagged Members of VLAN10

P11-22 Untagged Members of VLAN20

P23 - Untagged Member of VLAN30

P24 Tagged Member of VLAN 10,20,30

P24 into a VLAN tagging aware router, in my normal case a Cisco or Zyxel USG series.

Oh my. You completely missed it. Was talking about a server not a hardware router. I can do similar with VMware and hyper-v nothing to try there I know what it does and how it works. Like I said you need an os that supports it.

Trying not to add any other pieces of networking hardware other than the switch itself or the servers to stay on topic.

There are several key pieces that we don't know. First what is meant by secure (inside attack, outside attack, malware attack, who knows maybe by this vague description he wants to know if he is secure from a std his girlfriends sister has who he never met...might as well be, we have about enough information to possibly to come to a conclusion about that). Second we know very little about his network, it's got vlans and what are we supposed to be able to tell with that information? I have some or all of the parts to put you in orbit, is it possible..that is similar to all of the information that was given in the initial post. Third, what exactly is he trying to accomplish? By attempting to understand the the limited information given he may not have the proper hardware and/or software in place to make this work.

[simsie]

Short answer: Not secure

Long answer: We need more idea of your setup - perhaps a diagram and parts list.

On a basic theory level VLANs are no more secure than having 3 different physical switches. It's all in how you connect them together that counts.