67 replies to this topic

[Jeff Tan]

I have a 48 port POE switch,


5 core server are connect into it and in Vlan 1

i have 20 office computer connected to it in vlan2

and 2 AP each suppoert up to 20 user each in vlan 2


is my design secure? or do i need to get a smaller swtich to hold my server in vlan 1

[+BudMan]

secure from what standpoint? Just putting devices in different vlans does not make it secure? What ACLs do you have between the vlans?

From the info you have given all that can be assumed is broadcasts will not be seen between vlan1 and vlan2

[Jeff Tan]

ok..i will go into more details,

basically....

i have 5 server, 1 of them is a file server which store office files...
the 20 office computer has are able to read/write to a certain directory (eg . Office Doc) in D: drive
but not able to change any setting on this server.


the other 4 server are mail sever and web server etc..

putting them in seperate vlan is not allowing the user to ping or access the server. including the 40 user that are connected wirelessly.


now i wish to include 10 address space(wireless) for guess which only allow browsing of http and nothing else. <--how should i setup this


and putting them all in same switch but in diff vlan, how secure are information is kept?
just like what u said broadcasts should not be seen on different vlan
lets say vlan 1 for server
vlan 2 for users
vlan 3 guess network

[+BudMan]

Again just putting things in vlans does not prevent access.. Unless you don't route between the vlans, which then how do the users access the servers? Kind of pointless to have servers that users can not access.

So do you have a firewall routing traffic between the vlans? Or is the switch just routing intervlan traffic - if so what acls are you putting into place?

You clearly stated "the 20 office computer has are able to read/write to a certain directory" So you must be routing traffic between the vlans, so how are they now secure?

I think you misunderstand what a vlan is, a vlan is just another network segment. What is your security device between them? Firewall, just acls on the switch. What is the exact model of switch, is it layer 4?

If all you have done is create 2 network segments and are now routing traffic between them - all you have done is create 2 different broadcast domains to limit the broadcast traffic the servers will see

If you are not routing traffic between the segments -- how do the uses or guests access your servers services?

[+PeterUK]

Any computer or server needing to access each other needs to be on the same VLAN.
Any computer or server not needing to access each other can be put in a different VLAN.

[+sc302]

PeterUK, on 18 February 2013 - 14:38, said:

Any computer or server needing to access each other needs to be on the same VLAN.
Any computer or server not needing to access each other can be put in a different VLAN.

This is not true. You can have servers and computers on as many vlans that you want, it is the routing (or layer3) that needs to link them together. Most managed switches are capable of layer 3 these days but there are quite a few that do not and because of this makes vlaning a useless feature on those switches (IMO anyway).

[+BudMan]

^ exactly

The OP has not given enough details for a discussion of any sort of security. Since he states his servers are on 1 vlan, and his users are on another - I have to assume he is routing between them or how would they access the server their files are on?

Now maybe that is the OP issue, maybe he created 2 vlans and he has no routing between them? Yeah that would be secure but kind of useless in accessing user files stored on the server..

If he is just routing between the vlans - then no there is no security by just having the devices on different segments/vlans.. What is handing the routing? Is it the switch just doing intervlan routing.. Unless the switch is capable of acls again we don't have any security.

Now if he has a firewall that is doing the routing between the segments - then sure he could say you can only access IP on server vlan via port 80, or via smb/cifs to different IP in the server vlan from the users/guest vlan.

Need more info from the OP to continue this discussion.

[+PeterUK]

sc302, on 18 February 2013 - 14:50, said:

This is not true. You can have servers and computers on as many vlans that you want

Your saying servers and computers can be on VLAN 1,2,3,4....... even for the same servers and computers I'm not talking about that for the first line yes you could do that but not the second line which is a server to be on VLAN 1 only and a computer not to be on that same VLAN 1 but to be on VLAN 2 only.

VLAN can be flawed even without mirroring in that VLAN 1 is linked to VLAN 3 and VLAN 2 is linked to VLAN 3 with a MAC that is the same in VLAN 1 and VLAN 2 so that when traffic is received by VLAN 3 its sent to a MAC thats in both VLAN 1 and VLAN 2. That shouldn’t happen but it does because the VLAN is flawed in not sending it to the MAC with the lowest VLAN ID of course different IP's in the two VLAN with the same MAC is not a problem if the routeing table does MAC & IP but even then it can still happen. Which is why its not secure because no one put the option in for VLAN switch or VLAN hub mode per port as part of the VLAN design.

But all that is just the reason why VLAN is not secure.

[+BudMan]

PeterUK sounds like your taking about vlan hopping or attacks against vlans... Sure there are attacks that could allow you to hop vlans.. Now is the switch he is using open to some of these attacks? Not sure since he has not given the details of his switch.

Sure there are mac flooding attacks, there are vlan tagging attacks, there are multicast attacks, encapsulated attacks -- lots of attacks that could be used to hop a vlan or break the switch to bleed traffic between the vlans. Depends on the switch being used how secure it is against such attacks.

But generally speaking you have to assume that traffic between vlans is isolated, are we talking DOD secure or just how companies do business?

Is that what the user is asking? Should he use physical switches vs vlans so that there is a physical separation between the segments? I really am not clear to what the OP is after. But I can tell you with most companies vlans are highly used and considered secure.. Now what might be required in a DOD or government network -- they might not allow just vlans and require physical network segments?

From the info given I would be more worried about using wireless AP on the same vlan/segment as the users than being worried about only vlan separation between his users and his servers.

[+sc302]

never stated vlans in itself was secure. It really doesn't matter what vlan servers are on, in many instances the vlans are quite open. There are other things that should be added into the network to make your network secure. Install a NAC appliance for instance would make your network pretty secure, well it will keep out unauthorized equipment from attaching to your network anyway, this would "fix" your vlan issue.

http://en.wikipedia....o_NAC_Appliance

[+PeterUK]

The OP wants isolated networks but 1 of the 5 servers is a file server which store office files which has to be on the same VLAN as the 20 office computer with the 2 AP by the looks of it.

[+sc302]

The server doesn't have to be on the same vlan, but it does have to be on an accessible vlan.

server 1 can be on vlan2 and workstations can be on vlan5, vlan2 can access vlan5 and vice versa...provided you have a layer 3 switch or something doing some sort of bridging/routing.

[+PeterUK]

sc302, on 18 February 2013 - 18:11, said:

The server doesn't have to be on the same vlan, but it does have to be on an accessible vlan.

server 1 can be on vlan2 and workstations can be on vlan5, vlan2 can access vlan5 and vice versa...provided you have a layer 3 switch or something doing some sort of bridging/routing.

Because your bridging which is nothing to do with vlan2 can access vlan5 and vice versa it is because of bridging. I doubt bridging is needed in this setup any way.

[+sc302]

If any server is going to be accessed from any other vlan, you would need to do bridging or you would need to have a second nic in the server attached to the other vlan.

[+PeterUK]

sc302, on 18 February 2013 - 18:36, said:

If any server is going to be accessed from any other vlan, you would need to do bridging or you would need to have a second nic in the server attached to the other vlan.

Whats the difference between accessing the server on a difference VLAN by bridging then accessing the server on the same VLAN without bridging?

Your accessing the server either way.