Jump to content



Photo

Switch VLANing issue.


  • Please log in to reply
67 replies to this topic

#46 +PeterUK

PeterUK

    Neowinian Senior

  • Tech Issues Solved: 5
  • Joined: 26-March 07

Posted 20 February 2013 - 21:30

Certain higher end switches layer 2 switches can have 2 vlans talk to each other if you have the ports tagged. Cheaper ones do not do this.

Which is where your missing the point the OP does not want 2 VLAN talking to each other.


#47 majortom1981

majortom1981

    The crazy one

  • Tech Issues Solved: 1
  • Joined: 30-November 01

Posted 20 February 2013 - 21:39

Which is where your missing the point the OP does not want 2 VLAN talking to each other.


The OPS second post states the 20 workstations access files on the file server which is on vlan 1. If they access that server through the internet then it wouldn't matter BUT if they access files on that server through the net then vlan 2 would have to be able to access things on vlan 1.

On bigger switches like the 4108 I use you can tag the vlans and have the file server on both vlans at once. Then just open up access to the one port the file services use.

Some people were saying a layer 2 switch cannot have something on one vlan access something on another vlan which is not true. More expensive layer 2 switches can do this.

The OP is not clear on what he wants done.

#48 +PeterUK

PeterUK

    Neowinian Senior

  • Tech Issues Solved: 5
  • Joined: 26-March 07

Posted 20 February 2013 - 23:41

The OPS second post states the 20 workstations access files on the file server which is on vlan 1. If they access that server through the internet then it wouldn't matter BUT if they access files on that server through the net then vlan 2 would have to be able to access things on vlan 1.

Which is why I said put that one server where by the 20 workstations can access it on the same VLAN the other servers are not in that same VLAN because the 20 workstations have no need to access them servers.

What is wrong with this as posted by the OP apart from other security things?

Posted Image



#49 cawordsworth

cawordsworth

    Neowinian

  • Joined: 07-February 11

Posted 21 February 2013 - 00:14

Totally agree that some measures i.e. moving all ports out of the default VLAN 1 may be overkill. However, the customers that I come across in my job (range from SME to larger enterprises) focus around security and more importantly Best Practice. So naturally the first point of call for me would be those areas.

The simple solution (as already suggested numerous times) would be to segment Servers, Workstations and Guests into 3 different VLANs and just use ACLs.

#50 majortom1981

majortom1981

    The crazy one

  • Tech Issues Solved: 1
  • Joined: 30-November 01

Posted 21 February 2013 - 00:20

Which is why I said put that one server where by the 20 workstations can access it on the same VLAN the other servers are not in that same VLAN because the 20 workstations have no need to access them servers.

What is wrong with this as posted by the OP apart from other security things?


With more expensive switches you don't have to have that server in the vlan . the Ethernet port it would be connected to would be in the vlan 1 but tagged so vlan 2 can access it BUT you would limit the ports to only the ones file sharing uses .so say port 80 would not be able to go through.

You wouldn't have to have it all on just vlan 2.

Its more secure that way BUT No mention I don't think of what brand and model the switch is.

This way only the specific traffic needed will get to that one file server. if its in the same vlan as the 20 machines all traffic will hit it.

#51 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 35
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 21 February 2013 - 00:37

That isn't a layer 3 switch that supports that. You would need a layer 4 to block/allow tcp ports like port 80.

#52 cawordsworth

cawordsworth

    Neowinian

  • Joined: 07-February 11

Posted 21 February 2013 - 09:21

That isn't a layer 3 switch that supports that. You would need a layer 4 to block/allow tcp ports like port 80.


True, but Layer 3 switches can do basic ACLs which is all that is really needed in this situation....we need to know the switch that the OP would intend to use for this solution.

#53 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 35
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 21 February 2013 - 13:15

True, but Layer 3 switches can do basic ACLs which is all that is really needed in this situation....we need to know the switch that the OP would intend to use for this solution.

You would have to look through but it is a layer 3 he said.

#54 +PeterUK

PeterUK

    Neowinian Senior

  • Tech Issues Solved: 5
  • Joined: 26-March 07

Posted 21 February 2013 - 16:55

With more expensive switches you don't have to have that server in the vlan.

But your over complicating the setup that the OP might not need.

#55 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 106
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 21 February 2013 - 17:30

The OP question was vague at best.. Are vlans secure?

As posted already - "secure from what standpoint?"

Are there attacks against vlans - sure, can most of them be mitigated, again sure.. In what context and what risks are you concerned? Without some details of context and from what standpoint we can go round and round for weeks.

Most companies use vlans, and are considered "secure" enough for most business use.

#56 OP Jeff Tan

Jeff Tan

    Neowinian

  • Joined: 22-November 12

Posted 22 February 2013 - 11:49

The OP question was vague at best.. Are vlans secure?

As posted already - "secure from what standpoint?"

Are there attacks against vlans - sure, can most of them be mitigated, again sure.. In what context and what risks are you concerned? Without some details of context and from what standpoint we can go round and round for weeks.

Most companies use vlans, and are considered "secure" enough for most business use.



maybe you guys think too deep into the secureness ....

my approach is toward internal staff and guess.

yes i know there are certain attack that are able to penetrate vlans but tat is not what i am looking for.

my question is sort of simple, creating multiple vlans on a single switch(layer 3) that house staff,servers and guess connection.

what i want to achieve is that, servers are in 1 vlan and staff in 1 vlan and guess in 1 vlan
sort of some isolation where broadcasting will not be seen in either of them.


or should them be on seperate switch each with its own vlan.

which approach is better.

#57 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 35
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 22 February 2013 - 12:19

The depth of security depends on the need or how the individual perceives security. The requirement is different between securing your house or securing a government facility. By asking questions and entertaining different scenarios shows this.

You are fine if you are protecting your house by using a layer 3 switch to segment the networks. You may want a bit more if you are attempting to secure a government facility or a school (kids like to tinker a lot and really push what you think you know about security).

#58 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 106
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 22 February 2013 - 12:37

Yes a vlan is a broadcast domain, broadcast traffic will not be seen from the other vlans. This was answered back in post 2.

So we can /thread then.

#59 +PeterUK

PeterUK

    Neowinian Senior

  • Tech Issues Solved: 5
  • Joined: 26-March 07

Posted 22 February 2013 - 16:01

what i want to achieve is that, servers are in 1 vlan and staff in 1 vlan and guess in 1 vlan
sort of some isolation where broadcasting will not be seen in either of them.

But as you said one of them servers needs to be accessed by staff so if you have them in different VLAN they can’t access it unless you do bridging which is a more setup.

#60 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 106
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 22 February 2013 - 16:18

"if you have them in different VLAN they can’t access it unless you do bridging"

What?? You do not need to bridge to access other vlans, you would ROUTE between the vlans would be the normal way. This would normally be done on the switch with intervlan routing, or with each vlan having a connection to your router/firewall that would handle the routing between them.

Now depending on what is doing this routing would determine how granular you could get on your access controls. If what is routing has firewall features then you could prevent access on all kinds of things. You could limit access to IPs based upon port, you could limit on source IP. Depending on the feature set of your firewall you could even do some layer7 filtering if so desired. But no bridging is not a normal way to allow access between vlans.