This article can also be found in the Premium Editorial Download "Information Security magazine: Betting the house on network anomaly detection systems."
Download it now to read this article plus other related content.
The terms "control plane" and "data plane" are commonly used in the world of networking, but may not be as familiar to infosecurity experts. Fundamentally, the signals that control the flows and behaviors of your network don't use the same path as the packets themselves. In all large networks, such as the public-switched telephone network, there is a distinction between the part of the network that moves the packets, or calls, and the part of the network that controls everything else. The data plane is where all the data is located, while the control plane is used to direct the oper-ation, management and maintenance of the network. In some networks, a further distinction is made between the control plane, used for routing and call control, and a management plane, used for network management.
In the world of enterprise IP networks, it's unusual to break routing and data into separate paths because of the way IP routing works. However, it's common to separate network management into a completely separate path, possibly even using different cabling and topology. Anyone who has attempted to diagnose and repair a network where the routing has broken down will appreciate the benefits of separating control and data planes.
A New Target
The real VLAN threats aren't from layer 2 (data link) attacks (see "Common VLAN Attacks," above), but from attacks on the control plane of the network. In effect, when a VLAN-capable switch is used as a security barrier, it becomes the "weak link" in your security infrastructure. Why would an attacker assail a hardened firewall appliance configured with security as its primary goal when he could attack a VLAN switch?
Switches aren't designed the same way as firewalls, and are likely to have more vulnerabilities and less security testing. Thus, as a class, they tend to fall to a dedicated attacker faster and with less effort than a firewall. Switches provide hackers with multiple avenues of attack. A network might have one or two firewalls between two security zones, but there may be dozens of VLAN-capable switches. And, it only takes one misconfigured device to open a hole between secure and insecure parts of your network.
A network may have one or two firewalls between security zones. But, there may be dozens or even hundreds of VLAN-capable switches crossing floors and buildings in your organization.
There's also a philosophical difference in most network teams. While firewalls are obviously seen as security barriers and treated with appropriate gravity, switches are often considered less important. Network teams aren't accustomed to treating each switch as if it were the most important firewall in the entire network--which is exactly what switches can become when you use them in a VLAN environment.
This was first published in July 2005