- Firewalls and VLANs
One of the most common questions with regard to designing a firewall implementation is
how VLANs and firewalls interact with each other. Historically, firewalls and VLANs
went together like oil and water. Physical separation of resources for the purposes of
security was a sacred cow. It was an untouchable fact in network security. This was
reinforced by exploits and security issues that allowed traffic to traverse between VLANs
without going through a firewall or router, effectively bypassing any security that was in
place. A few things have contributed to a change in thinking regarding firewalls and
First, people became very comfortable with VLANs on their internal networks and
started using them to segment resources logically throughout their internal network.
Second, people started to realize that if they used multiple DMZs to house resources of
differing types, they could further segment and secure their perimeter resources by
placing resources with common access rules in different DMZ segments, instead of just
tossing everything into a single DMZ segment. The problem with creating so many DMZ
segments is that doing so required an incredible expenditure in network infrastructure
equipment such as switches and firewalls. After all, physically separate DMZ segments
required a dedicated switch and firewall interface on each DMZ segment, at a minimum,
which frequently made the solution cost prohibitive. To address the cost issues, VLANs
were looked at as a viable solution. Finally, switch vendors began securing their software
to help prevent the circumstances (typically buffer overflows) that would allow traffic to
traverse VLAN segments without going through the firewall or router.
Separate DMZ segments are fundamentally no different than separate subnets on an
internal network. On the internal network, VLANs are used to logically separate subnets
in lieu of physical separation. The benefits of this are well understood. It is cheaper to
implement because you do not need physically distinct switches or routers for each
subnet, and it is easier to manage the overall environment because moving resources from
subnet to subnet merely requires a change in the VLAN configuration (and, of course, a
change of the IP address of the system being moved). This same logic was applied to the
network perimeter, which resulted in using VLANs to create distinct DMZ segments.
Although using VLANs addressed the cost issue completely, the use of VLANs creates a
couple of important issues for folks to consider.
First, whereas logical separation of resources on a trusted network was generally
considered an adequate security risk, it is not as secure as physical separation of
resources. At the end of the day, a logically separated subnet is still physically connected
to other subnets in the same switch fabric. Normally for traffic to go from one VLAN to
another, it must go through a router (or firewall and thus can be filtered accordingly);
- because there is no actual physical separation between the VLANs, however, it is
possible for traffic on one VLAN to inadvertently be delivered to another VLAN without
using a router or firewall. The most common exploit to take advantage of this logical
separation is to create a situation that causes the switch to forward packets across VLANs
without going through the corresponding router or firewall. On a trusted network, this
might not be a big deal. If the only separation between your internal network and the
Internet is a VLAN, however, the risk becomes much more substantial. Traffic from the
Internet could wind up on your internal network, completely bypassing the firewall. It's
important not to overstate this risk. It is not really a trivial task to accomplish, and when
switches have been found to be vulnerable to such an attack the vendors tend to fix the
switch software relatively quickly, but the risk does exist.
For more information about VLAN security, check out the following white papers:
The second issue to consider when using VLANs is that because there is no physical
separation of resources, a server on one DMZ segment may be plugged into the same
switch right next to a server in another DMZ segment. This setup can make it very easy
to inadvertently plug a server into the wrong VLAN, and thus the wrong DMZ segment
(which may create an inadvertent security risk). Although you can mitigate this by paying
careful attention to detail and having well-documented and well-followed procedures and
policies, the bottom line is that the best technical controls out there cannot prevent every
instance of human error. Some examples of good practices to mitigate this problem are as
• Set trunking to off on all access ports.
• Enable port fast on all access ports.
• Implement port security on all access ports.
• Limit the use of VLAN 1.
• Configure dedicated native VLANs on trunk ports.
• Manually configure allowed VLANs on trunk ports.
• Shut down all unused ports and place them in an unused VLAN.
Although you can use VLANs in the network perimeter, it is important not to use them to
separate resources that have distinctly different security levels. For example, the Internet
and the internal network should always be physically separated from every other network
or DMZ segment with a firewall physically sitting between the segments and controlling
- the flow of traffic. Additionally, if you are going to use VLANs, you should implement
an IDS/IPS solution that can notify you of traffic that has an incorrect source or
destination IP address, indicating that traffic from one VLAN may be incorrectly on a
different VLAN or that a server from one VLAN may have been inadvertently plugged
into the wrong VLAN. You should also plan on implementing VLAN access control lists
(VACLs) to provide a means of filtering traffic at Layer 2, and thus within the VLAN, to
further protect resources.
Virtual firewalls build upon the practice of using VLANs. After all, if you can logically
separate a switch into multiple subnets, why not have the ability to use a single interface
on a firewall (or a logical interface on a firewall blade in a switch chassis) to filter
between those logical subnets. The benefit of this approach is that you further reduce the
cost of implementation by removing the need for each VLAN to connect to a physically
Virtual firewalls are most commonly implemented by separating a single firewall into
multiple logical firewalls, sometimes referred to as security contexts. Virtual firewalls are
also frequently implemented on network devices that support firewall hardware or
software as a component of the network device. For example, a Cisco Catalyst 6500 with
a Firewall Services Module (FWSM) allows you to create up to 100 virtual firewalls
within the switch. The virtual firewall can then be associated with corresponding VLANs,
providing the same functionality that would exist if a physical firewall had been used to
segment the VLANs from the rest of the network.
Because virtual firewalls can so easily be integrated into many switches, they are a good
way to segment and secure internal resources. Virtual firewalls are also commonly used
to segment DMZ segments that use VLANs as the segmentation method. This allows
multiple VLANs to be secured by multiple virtual firewalls using a single firewall
A big disadvantage of virtual firewalls is the fact that many folks have a hard time
conceptualizing virtual devices and objects. This can make it difficult to troubleshoot or
diagnose problems. Additionally, each virtual firewall is typically treated as an
individually managed and maintained resource, in addition to the system context (or
physical device itself), which increases management costs. Finally, not all virtual
firewalls can function exactly as if there were a physical firewall. For example, in certain
configurations, virtual firewalls may not be able to support technologies such as dynamic
routing protocols (such as when using Cisco FWSM and transparent mode configuration).