0

I've browsed this site for a while but never had a need to ask a question until now, so here goes. I have a network setup question that I'm hoping the community can shed some light on. There is an effort in our office space to overhaul the network setup. We are an independent company in a shared office space with a few other independent companies. The office space provider has a redundant, fat internet pipe that will be shared with the groups in the space. They are setting this up by giving each group it's own VLAN which they will administer for each of us. We want to ensure our data and resources are protected, but that we can still access our network remotely so the VLAN as security doesn't work for us. What are the best options for this type of setup and maintaining our security? We hoping they'd split out the traffic in a DMZ for each company to a private network, but this doesn't seem to be an option. I read this post: How do VLANs work? on VLANs as it seemed to be a similar setup in a hypothetical problem, and followed up reading this: How many VLANs are too few and too many? which were helpful and confirmed our concerns with VLANs. What we're still looking for is if there is a good setup for this shared pipe which allows us to control our own company security.

Thanks in advance.

Community
  • 1
RonBurgundy
  • 1
  • 1
  • 5
    Why would a VLAN prevent you from connecting remotely? VLAN's are a Layer 2 construct. If a VLAN prevented Layer 3 connectivity, whether locally or remotely then nobody would use VLAN's. – joeqwerty Sep 20 '16 at 18:49
  • Do you want to protect against somebody sitting down at one of your unoccupied desks and plugging an ethernet cable into one of your jacks? – Law29 Sep 20 '16 at 19:13
  • Hi Joe and Law, thanks for the answers. Joe, our concern is that we can't administer the VLAN so we can't control what machines are on it. It is functional, but out of our control. Law, we want to protect access from others in the shared space having access to our network. I doubt it would be malicious, but more accidental while setting up additional groups. – RonBurgundy Sep 20 '16 at 19:49
  • 4
    Nothing prevents you from running your own switches, routers and firewalls, and completely ignoring the VLAN (except at the edge of course). – Michael Hampton Sep 20 '16 at 21:46

3 Answers3

1

One reason why people discourage the use of VLANs for security is that there have been some attacks which allow for VLAN hopping, due to misconfigurations of the switches.

The VLAN hopping attacks that exist all depend on a few factors:

  • The switch speaks some kind of trunk protocol to you, allowing you to "register" for a different VLAN. This should never occur on a customer port.

  • The port is a tagged port, and the switch isn't protected against double tagged packets. This is only an issue if you have users on VLAN-tagged portst. Even then, it's only an issue if you allow untagged packets on trunk ports between switches which you shouldn't.

The "packets travel on the same wire" reasoning is valid, if the attacker has access to the physical wire in question. If that's the case, you have a lot bigger problems than what VLANs can solve.

So basically you can use VLANs as a security measure, but make sure that you never, ever speak VLAN tags with other users of that network, and do keep track of which switch features are enabled on ports facing such entities.

To make sure that your network is secure you can perform network security testing with tools like Ixia's BreakingPoint.

You can simulate your traffic and validate your infrastructure, inject security attacks and malware into that traffic and test the resiliency of your security infrastructure.

Oron Zimmer
  • 154
  • 4
0

I don't think there is a "good" setup that you can have in a unsecured office space. Someone can simply unplug a network cable and plug in and have access to your "stuff". I'll just say that you need to worry about the "worst people" not the accidental stuff. The answer is to setup one port that has a configured and plug it into a firewall of some type that you have full control of and secure it. Then on or behind the firewall you can setup your network and, remote access.

illandous
  • 157
  • 6
0

I think that this all boils down to whether or not the provider what will be administrating the VLANs is capable (i.e. they know what they are doing) and trustworthy. If the network architecture has been properly designed, and the VLANs have been set up and secured properly, then VLANs should adequately separate network traffic in your shared office environment. You still will be able to use VPNs for remote network access if you use VLANs.

Rather than worry about the VLANs, I think that you should be more concerned about hardening security for local network. The following may seem like common sense for you but many people fail to cover the basics: for example, make sure that software firewalls are enabled on all your servers and clients and restrict service access only to sources that need it, keep anti-virus software up to date, and keep your servers/clients patched and up to date. A proxy server can help you authenticate users trying to access external networks and can perform simple web filtering. There are open source platforms that can help you detect unauthorized network access or analyze network traffic for intrusions or other anomalies.

The point is, VLANs should work just fine for you. Just make sure that your provider is doing a good job, and keep them accountable by asking for lots of documentation and asking lots of questions. Then do your part by making your local network as secure and safe as possible.

wrieedx
  • 700
  • 3
  • 11
  • 22