5

I have a basic to moderate understanding of VLAN's and their pros and cons as they relate to network segmentation but I'm wondering where to start as one moves into virtualized environments.

From a security perspective, how does traditional VLAN segmentation stand up to products/solutions focused on virtual environments, such as VMWare's vCloud Networking and Security product? When you're working with collocated VM's what strategies/technologies do you rely on to segment VM traffic?

I know this may be overly broad, but any starting points would be extremely helpful. For the sake a specific question though, perhaps a good way to put it would be - Do you consider virtual network security products to be at least as good as tradition VLAN's for the purpose of segmenting network traffic?

Univ426
  • 286
  • 1
  • 7

2 Answers2

1

VLANS as a concept remains stable and constant with the implementation of a technology or a solution. The core concept is to define logical set of boundary between networks; a line of trust as to say. Its the implementation that varies and this is where the risk lies.

If you know about ubuntu running under a vmware platform you can define vlans using command such as vconfig. Depending upon the use; your virtual machine is dual homed have (2) NIC cards sitting in DMZ's it may need two vlans to connect to and transfer data.

Just like in physical switch ; you want to filter or define the vlan id that a trunk link can carry; e.g you don't want the ftp server vlan to carry just traffic for ftp servers not anything else.

For inter-vlan routing you need to define intelligent policy at layer 3 router to filter / drop packets based upon security requirement. For e.g non-ftp users accessing ftp farm. Incoming traffic to non-standard ftp ports be dropped as well.

No matter how much virtualized environment you may have ultimately it has to go through physical switches / routers of your organization environment. This is where true control / checks should apply.

Securing vlan is fairly common and well reversed in case of cisco academia (e.g ccna classes). You can start from here.. This link discusses attacks to vlan protocol e.g vlan hopping and what can be done to mitigate the risk.

Saladin
  • 1,547
  • 3
  • 14
  • 23
  • Thanks @asadz, I understand that ultimately VLANs can be used and configured, I guess I'm more interested if anyone has found virtual networks tools available from VMWare and Microsoft to be as secure as the use of VLANS - barring the biggest risk, misconfiguration/user error. – Univ426 Mar 06 '13 at 20:14
0

Well, the whole concept of VLAN is the same in both physical and/or virtual. But using VLAN is somehow different:

  1. When you are in a non-virtual environment (physical) you can use VLAN to isolate different kind of traffics based on different criterias e.g. department, location and type of data and in such cases the physical switch is used.
  2. In virtual environment like VMware for example, generally we have some specific traffics like Management, ISCSI, NFS, vMotion etc.So you have to use VLAN for separating based on these type of traffics. Here, Two virtual switches are used: "standard switch","distributed switch" regarding to our scenarios.

IMHO, one should have a good understanding of fundamental concepts and also real world scenarios. Hope it could give you some clues toward your questions.

Ali Ahmad
  • 4,784
  • 8
  • 35
  • 61
Vahid Shokouhi
  • 1