SECURITY ZONES

VLAN Based Separation VLANs (Virtual Area Network) were created with the primary purpose of allowing network administrators to define broadcast domains flexibly across multiple switches. VLANs are a useful isolation tool. VLANs can also help you group resources according to their risk exposure and function, even if the systems in question are located on different floors of the building and cannot be interconnected using a single switch.

VLAN Based Separation The flexible nature in which VLANs can be configured, as well as the slew of intra- and inter-VLAN communication options available in high-end VLAN implementations, makes VLANs an attractive tool for network administrators. Unfortunately, virtual network divisions do not afford the comfort level that a physically disparate box does. Improperly configured VLANs can result in a vulnerability that would allow a savvy attacker to "jump" across VLAN boundaries.

VLAN Boundaries Even though subnets that are defined by VLANs might be considered virtual, they still require a router to forward network traffic from one VLAN to another. Intra-VLAN routing can be performed using a traditional router and can be controlled via ACLs, much like traffic that is crossing regular subnets. Because VLANs are meant to create isolated broadcast domains, we could use VLANs within a single switch to implement the security zone subnets shown in the network designs presented throughout this chapter.

Jumping Across VLANs According to the IEEE 802.1q standard, Ethernet frames traversing through VLAN-enabled switches can be identified as belonging to a particular VLAN through the use of a tag header inserted into the frame immediately following the source MAC address field. Frame tagging is used when multiple switches are "trunked" together to function as a single switch that can host multiple VLANs. Tag headers defined in the 802.1q standard carry identifying VLAN information across trunked switches and identify a frame as belonging to a particular VLAN. It is a good rule of thumb to have sets of switches dedicated to a particular security zone (such as an internal zone, screened subnet, or DMZ) and then to use VLANs to segment networks that fall within that security zone.

Firewalls and VLANs Even Security between VLANs can be quite a task. Typically the only security devices available for a router are access control lists. Though they are effective, managing access lists can be considerably more complicated and cumbersome than the interface of a commercial firewall solution. Logging and stateful handling of protocols may be missing or not as feature rich as a firewall solution.

Firewalls and VLANs Recently, firewall vendors have started to offer solutions that take advantage of VLAN and trunking technologies. Both Cisco and Check Point currently have firewall solutions that allow the securing of communication between VLANs on the same switch. Cisco's FWSM is a blade installed into 6500 series Catalyst switches. The Firewall Services Module (FWSM) uses the VLAN interfaces on the switch as its firewall interfaces. This way, policies can be created protecting hundreds of VLANS from each other with the full granularity of a PIX firewall.

Firewalls and VLANs Check Point has a solution called the Virtual System Extension (VSX). The VSX is a powerful Check Point FireWall-1 server with extras. A switch can be plugged in to it via a trunk, allowing multiple VLANs per trunk to appear as virtual interfaces on the firewall.

Private VLANs Check Some Cisco switches support an attractive VLAN security feature called private VLANs (or PVLANs), which you should weigh against the risks associated with VLAN deployments. A private VLAN is a grouping of ports specially configured to be isolated from other ports on the same VLAN. Private VLANs can help you restrict how hosts communicate with each other within the primary VLAN. Private VLANs are helpful for isolating systems within the subnet, without the lost addresses due to splitting the address range into multiple subnets.

Private VLANs Check Point has a solution called the Virtual System Extension (VSX). The VSX is a powerful Check Point FireWall-1 server with extras. A switch can be plugged in to it via a trunk, allowing multiple VLANs per trunk to appear as virtual interfaces on the firewall.