Page 1 of 3 123 LastLast
Results 1 to 10 of 30

Thread: vLANs

  1. #1
    Junior Member
    Join Date
    May 2004
    Posts
    10

    vLANs

    The IT manager here had some folks in to perform a security audit. I was a bit suspicious, since they were only scanning the internal network, and I didn't think that there was much, aside from some password scans, that could be accomplished (I'm more worried about outside attacks). One of the results of the audit was that we should create vLANs internally. We have 1 physical location, with 2 1/2 floors, and a total of about 180 workstations. We use level 2 switches. I don't know of a reason why we really should implement vLANs - anybody out there have an opinion?

  2. #2
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    Yes, it maybe necessary or appropriate in some circustances.
    Could post here (without too much company disclosure) why the auditor team suggest that?
    We can post them about their reasons and the suggestion itself.
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  3. #3
    Senior Member
    Join Date
    Mar 2004
    Location
    Colorado
    Posts
    421
    The VLAN can create great value...


    For example, I segment our software developers into several of their own VLANs.
    They are always running protocol analyzers or packet sniffers to debug this or that. This sets off my IDS which required me to investigate which makes me want to scream.

    I also like to segment workgroups like HR and Accounting from the rest of the corp for obvious reasons.

    With a good enough switch, you can also have better bandwidth control over each group instead of doing rate shaping stuff on individual ports...Mostly on layer 3 equip tho.


    Just a few ideas..

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    The first question is what do you have at risk, what value is it to the organization and thus what do you need to do, that doesn't exceed the value of the assets you are trying to protect, in order to properly protect them.

    There's a huge difference between protecting the payroll records of a couple of hundred employees and protecting the SSN's and CC numbers of a few thousand members of the general public.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    Junior Member
    Join Date
    May 2004
    Posts
    10
    They were basing it on keeping traffic from getting overwhelmed in case of a worm. My reply was that the worm would still flood the router nic, so folks would still have problems with getting to resources outside of their relative vLAN anyway. The only time I've ever implemented vLANs was to ensure that the Finance department was able to get bandwidth to their production servers - single site/small offices doesn't seem to provide enough of a need for a vLAN that multiple sites/large networks would.

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    A worm should not be able to get to your trusted network if at all possible. There should be as few services as possible, preferably none, that are served to the public network from the trusted. AV protection should be automatically and centrally updated for all clients, or better yet all executable files should be stripped from SMTP incoming traffic by the firewall if it is capable, assuming you host email yourself. Furthermore, closing as many services on client computers as is possible also slows or prevents many worms from moving even after a successful compromise on a vulnerable box.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #7
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    I still didnt get it, Jaz. Im with you, according to your info. VLAN Just wont work.
    If they suggest to implement VLANs AND create some "zones" into your network, protecting each by firewalls, it can work.
    For example, I did an implementation that server farm (Intranet) is behind some firewalls, protecting them from inside attackers.
    But I cant see this kind of implementation on a small company like yours. Im not sure what kind of business are being conduced there (finance?)
    maybe it better to invest on perimeter defense and internal defense, such good firewalls, antivirus, anti-trojan and related stuff.
    A Vlan to prevent worm flood doesnt appear to be a right choice.
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  8. #8
    Senior Member
    Join Date
    Jan 2003
    Posts
    274
    I'm the head of the WAN and data infrastructure for a mid sized enterprise network. I have about thirty sites ranging from half a dozen users (at one site) to a several thousand (four sites).

    I use VLAN's everywhere.

    VLAN's, properly designed and administered, are one the best tools you have for having granular control of what is happening on your network. Control broadcast/multi-cast traffic, segment different departments, etc. In fact, In almost every site, I have both L3 and L2 VLAN's in place for exactly the reasons mentioned in the last sentance. I also use tagged VLAN's on wireless WAN for point-to-multipoint connectivity and as much as I fought against the introduction of 802.11 equipment being brought into my network, I've now got roaming VLAN's established for the wireless user.

    Truthfully, I'd hate to go back to not having them.

  9. #9
    Junior Member
    Join Date
    May 2004
    Posts
    10
    Well, we don't have much info here except for our own employee stuff - most everything else is public domain. I asked them if they did a scan from outside and was told that they weren't concerned about the outside at this point. That raised a red flag, which I tried to point out to the manager. She didn't think it was a problem.

  10. #10
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    was told that they weren't concerned about the outside at this point
    This raised a "red flag"....... I can see a whole friggin' field full of red flags, big ones waving in a stiff breeze......

    They want to secure you internally from the ravages of a worm that they aren't even going to bother to see if they can stop from entering from the outside..... How friggin' stupid is that unless you are milking a sap of a client for all you can...... Unless there is other information that we are not privy to then I would say "bend over"..... You're about to be raped......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •