Rabinovitch (nd) notes that "VLANs can significantly improve security management by automatically placing unrecognized network users into a default VLAN, with minimal accessibility, secure from the rest of the network." The Media Access Control (MAC) address is commonly used as a first line of defense in the VLAN security system. Because switches do not automatically perform authentication checks, network administrators can configure VLAN software to perform identity checks.
However, Farrow (nd) identifies several security weaknesses with Virtual LANS. Virtual LANS do not exactly create protected network segments impenetrable to the outside world as Cisco had claimed. "Hopping" is possible, as virtual bridges may be established between VLANS. In fact, Farrow (nd) claims that security was never considered to be a feature of virtual LANS and that the presumed ability of VLANs to isolate workgroups is incomplete at best. Furthermore, firewall technology has evolved so that VLANs are detectable and therefore penetrable. Another drawback with VLANS is that "VLANs tend to break down as networks expand and more routers are encountered," ("Definition of Virtual LAN). Virtual LANS limit the number of supported tagged terminals. Interestingly, Rabinovitch (nd) claims that one of the reasons VLANS are used is "to ease network adds, moves, and changes."
Virtual LANs operate and function similarly to their traditional LAN counterparts, with physical ports, layers, authentications, protocols, MAC addresses, and IP subnets all playing a role in network design, segmentation, and management. VLAN does ease some of the constraints on network managers. For instance, "VLAN management software can then automatically reconfigure that station into its appropriate VLAN without the need to change the station's MAC or IP address." (NetworkWorld 2006). The IEEE's 802.1Q standards accommodated developments in VLAN technology, establishing ground rules for tagging and assigning membership regardless of the VLAN software vendors.
In Open Systems Interconnection (OSI) terminology, VLANs function on the data link layer: Layer 2. Using Layer 2, "packets are switched between ports designated to be within the same VLAN" (Cisco 1997). Virtual LANS can be configured to mimic functionality on the network layer, Layer 3. Traditional router switches can operate and move between multiple layers, whereas VLANs cannot. However, VLAN technology involves a robust tagging system that allows switches and ports to be configured as trunks (Farrow nd)....
Trunks in the network are the foundation for multiple VLANs in the same large network.
Bridging between one VLAN and another generally requires router switches and so VLANs and traditional LANs are not mutually exclusive. In fact, router switches are necessary in organizations with multiple VLANs. Router switches pose some architectural and security-related advantages over VLANs, and network administrators must take care to prevent VLAN hopping in complex network systems. To solve some of the structural and functional problems associated with VLAN technology, "the industry is working towards "virtual routing" solutions, which allows the network manager to view the entire network as a single routed entity," (Defnition, PCMAG). However, virtual routing and virtual bridges do not solve security-related issues associated with VLAN technology.
Virtual LANs offer network flexibility. The virtual LAN software interfaces with and overlaps traditional hardware-based network architecture. Large organizations with multiple functions, departments, and workgroups need virtual LAN technology to link together geographically distinct terminals that share the same network needs. Networks that change frequently via adding, subtracting, or moving terminals also need virtual LAN technology. Network administrators can enhance network security by preventing VLAN hopping but in general the security risks posed by virtual LANs are not appreciably different from those on a traditional LAN.
References
Cisco (1997). "Overview of Routing between Virtual LANs."
Definition of Virtual LAN." PC Mag. Retrieved Dec 8, 2008 at http://www.pcmag.com/encyclopedia_term/0,2542,t=virtual+LAN&i=53925,00.asp
Farrow, R. (nd). VLAN Insecurity. Retrieved Dec 8, 2008 at http://www.spirit.com/Network/net0103.html
Homan, C. (1998). VLAN Information. UC Davis. Retrieved Dec 8, 2008 at http://net21.ucdavis.edu/newvlan.htm
NetworkWorld (2006). "VLAN (virtual LAN)." Network World. Retrieved Dec 8, 2008 at http://www.networkworld.com/details/471.html
Rabinovitch, E. (nd). Migrating to VLAN: Tips, Tools and Standards. UniNews. Retrieved Dec 8, 2008 at http://www.uniforum.org/web/pubs/uninews/970701/feature2.html
TechTarget (2007). "What is virtual LAN?" Retrieved Dec 8, 2008 at http://searchnetworking.techtarget.com/sDefinition/0,sid7_gci213299,00.html
What is a VLAN?" (2008). TechFAQ. Retrieved Dec 8, 2008 at http://www.tech-faq.com/vlan.shtml
