This article can also be found in the Premium Editorial Download "Information Security magazine: Betting the house on network anomaly detection systems."
Download it now to read this article plus other related content.
Even if you're not using VLANs as security barriers, but merely as a means for simplified net- work management, you need to ensure you have proper deployment and architecture to prevent simple mistakes that can lead to compromises.
The following best practices can help you maximize the effectiveness of VLANs and avoid introducing security holes.
Separate the data plane from the control plane as much as possible. When building networks, it's common to assign IP addresses to switches on all VLANs and use those for management and control--but, this opens up the switch to attack.
A better strategy is to create a separate management LAN and use only that VLAN for management. Switches shouldn't have IP addresses on any other VLAN. (See "Plane Language," opposite.)
Use switch features to enforce restricted control plane access. Even if you create a separate management network, you will want to use other switch features to make sure the control plane is thoroughly isolated. For example, most switches allow for basic ACLs that can be used to limit the IP addresses available for management. It's essential to make sure that you to use these ACLs to only allow management traffic from specific management station IP addresses, even if you are sure that only those management stations can be routed to that VLAN. A common technique by attackers is to find a weak point
in the network and use that to jump deeper. Since your switches themselves now become suspect, they shouldn't be considered trusted devices.
Limit and control traffic. Many switches have the ability to block broad types of traffic. If your goal, for example, is to enable IP connectivity, then you want to use an ACL to allow IP and ARP Ethernet protocols only, blocking all other types. This will help eliminate low-level Ethernet attacks, such as those that attempt to fool the spanning tree protocol.
Restrict cross-port traffic. When a group of systems is placed into a single security zone, the mere presence of connectivity offers the opportunity for attack. Several switch vendors offer the option to mark ports within a VLAN as "private," meaning that, although they can communicate off-switch, they can't communicate with each other.
It's highly unlikely that users on a wireless network will want to send packets to each other, so blocking traffic between wireless access points can increase security without impacting use of the WLAN.
Disable unused features and ports. Most switches are willing to talk to internal control protocols, such as spanning trees, on any port. If you use ACLs to block such traffic, you should disable these protocols on any port where they are not explicitly needed. At the same time, any port that isn't in use should be shut down or placed in an unused VLAN.
Document your physical layer. When secure and untrusted traffic coexist on the same switch, a security problem is simply a mispatched cable away. Extensive physical-layer documentation and standardization is critical to avoid errors that can compromise your security. For instance, you can use color-coded patch cables to indicate different VLANs, and color-code switch ports using plastic tape. While having good documentation won't prevent errors, even the most careless technician will think twice about plugging a green patch cable into a red switch port
This was first published in July 2005