Those of us that have been around for a while remember the days of one hub or switch being a physical connection that determined the users network. Sure you and your neighbor at work could be on different subnets but the management of setting it up was much more hands on. The wiring to the patch panel was all the same and the big difference came from the patch panel to the switch. Ever seen one of those messy cable management photos? Most likely it came from an older setup with vlans in place. Any time that a user switch desks, the cable needed pulled from part of the patch panel to another patch panel.
Now with the implementation of vlans we are able to cleanly make network connections, sometimes without the need for a patch panel, and virtually move a users network connection on the back-end. This becomes a big deal for ease of management as someone simply plugs in their computer to the new spot and off they go doing their daily activities. The common phrase of ease of access leads to lack of security is extremely true in this case. If your co-worker is able to move their computer to a new desk and immediately get network access, doesn’t that mean anyone could it? Even someone from outside the company? Yes. Yes it does.
There are many ways to implement your VLAN to focus on security and the easiest one to enforce is the default vlan0 on most switches. By putting your vlan0 on a network with no outside resources, it allows for users to plug into the network easily but not have any access they should not have. An implementation of DHCP pared with DNS redirect to an internal HTTP server gives you a simple company spash page informing the user to contact the IT department to gain access. Even if you do nothing with the vlan0 and have all connected machines get an APIPA address can do the trick from a basic security perspective. First, any connected and authorized user will immediately go to the IT department with their issue of not being able to access company resources. This is good. Second, an unauthorized machine is stuck in that vlan0 with an APIPA address that they cannot do anything with…. Kind of. If for some reason people on your network are using hostnames to talk to each other across that APIPA link then there could be cause for concern.
The next part of managing your VLAN’s to be secure would be making sure that no user access port is set to be enabled for trunking. Even with the most secure VLAN setup, if a port is set to allow trunking then you have lost your awesome secure vlan implementation. A user or attacker could use that port to negotiate a trunk and then gain access to any vlan on that switch they see fit to start scanning or attacking. Most vendors have the option to set a trunk to allow for access or trunk or automatic. Generally these are set for automatic and can be set to access with a simple command. Set your trunks manually and you do not have to worry about it.
No comments:
Post a Comment