Virtual local area networks or VLANs are also prone to many of the security issues. Till now a number of researches have been carried out regarding the security of the VLANs. From these researches, no intrinsic security reviews have emerged that would challenge the security of the VLANs. However, these researches do point out a factor that could cause the VLAN to behave in an undesirable way or could lead to the threat of security breaches. The factor is the improper switch configuration.
Since last few years, best practices for the VLAN security are being advocated by the cisco systems. These best practices focus up on having a secure network configuration for VLANs. In this article we discuss about this security best practices only.
What are the basic security principles and practices?
– The basic security principles are what that mark the creation of the switched networks.
– Thus, these basic principles are the cornerstones of the VLANs.
– It is obvious that every user would not want his/her devices to be tampered; therefore a control must be kept on the physical access of the device.
– Furthermore, the network administrator should have the knowledge regarding all the proven security tools and should use them from simple configuration of system passwords to log in banners.
– Some examples of such tools are TACACS+, IDS, RADIUS, Kerberos and so on.
– It is only after these basic security principles that we can move on to the more advance security issues.
– A layer 2 switch can group the subsets of the ports in to various VLANs or the virtual broadcast domains that are at isolation with each other.
– It is crucial for the switch to be able to identify among the various isolate ports and forward the traffic appropriately.
– If there is a lack of identification, it may become a cause of insecurity of the VLANs.
– The traffic can be reliably discriminated if the data packets are coupled tightly to the proper VLAN tag.
– The advance tagging techniques help in preserving the VLAN info and forwarding the traffic.
– The VLAN – based security becomes more reliable than the physical security if the VLAN identification of a packet is not altered after it has been transmitted and conserved till the end.
– Management console is what is most sought after by the malicious users in a networking device.
– They can configure the network as per their will.
– Some additional VLANs can be used by the management CPU for in – band management purposes to supplement direct connection in switch.
– It is necessary that the networking device should be kept in a locked or controlled space.
– This can be done by following the below mentioned best practices and tools:
1. Protocol ACLs
2. Traffic filters
3. QoS prioritization and marking (appropriate DSCP values are used to differentiate between the control protocols.)
4. Selective deactivation of the layer 2 protocols operating on ports that cannot be trusted.
5. Configuring the in – band management ports in VLANs that are dedicated.
6. Preventing the VLAN 1 from carrying any data traffic.
– VLAN needs to be pruned properly if you do not want it to span the entire network.
– Such a risk of instability of VLAN 1 increases greatly in proportion with the diameter of the area.
– Also, trusted devices can be put to risks of attacks from devices that are not trusted if an omnipresent VLAN is used for management tasks.
– The untrusted devices can gain access to VLAN 1 and can exploit it.
– To avoid the VLAN 1 must be pruned from the ports where there is no restriction regarding the use of VLAN.
– A separate dedicated VLAN should be used for keeping protocol traffic and management traffic isolated.