I was following an email trail from a few colleagues and it dawned on me that I had not written about the use of VLANs with respect to PCI in this blog.  If you purchased Anton & my book, you can get a great, real-life example of VLANs in the second case study in Chapter 4, Building and Maintaining a Secure Network entitled, “The Case of the Large, Flat Corporate Network.”

Safe, by rpongsaj

The question that was asked is, “Can a VLAN be used as a way to segment a network?” Of course, the answer (as always) is “It depends on how you are using it.”  If you are using simple 802.1q tagging with no other controls, that is not considered good segmentation.  Many techniques are available to both the armchair and advanced hacker to hop around those tags and get access to information.

Instead, VLANs can be used either with or without tagging with choke points nearby enforcing strong access lists (read: stateful if possible, reflexive if Cisco).  My personal preference is hard coding ports to one VLAN (without tagging), but that can sometimes be unmanageable with scale if you don’t have the right automation in place.  Alternatively, using tagged VLANs with strong controls around the switches and strong ACLs on choke points near the ports (and relatively short trunks) can be considered a good segmentation strategy.

For more fun, check out Chapter 4 of the book!

This post originally appeared on BrandenWilliams.com.