If you listen to the vendors, there’s a technology out there that adds security to your network with a simple configuration step. Super VLANs (or Private VLANs, depending on your network vendor of choice), has been around as a concept for a few years, but it seems now to be sold as a technology according to which type of customer the sales person is talking to.
So where did it come from and what does it actually give you?
The technical details
Suppose you have four servers in a VLAN. You want them (for reasons that we’ll cover later) all to be in one subnet, but at the same time don’t want them to have free network access to each other. You can configure the switch ports, while remaining in the one overall VLAN, to be subdivided so that logically they can’t talk directly to each other.
Take Cisco’s Private VLAN configuration. You set ports up as either isolated, community or promiscuous, within that PVLAN subnet. A promiscuous port, typically the network’s default gateway, can communicate with any other port in that PVLAN. An isolated port can communicate only with that promiscuous port, and a community port can talk to the promiscuous port, or to other ports in the same community.
So a server that is connected to a port set up as an isolated port, can only pass traffic to and from the router that is its default gateway. A couple of devices in the same community can talk to each other and the router, but not the other servers in that PVLAN.
Why go to the bother? The reasoning behind this when it was first thought up is explained pretty well in the related RFC (3069 if you’re that keen), ‘Efficient IP Address Aggregation’. This was a feature written for Service Providers, to allow them to host servers for multiple individual corporate customers without having to cope with vast quantities of subnets and the requisite complex subnet masking.
Customers didn’t want their services to be on a network shared with others while ISPs didn’t want to have to create dozens or hundreds of discrete networks to segregate them. SuperVLANs were the answer. One logical subnet, but isolation between devices in any granularity required.
Since then, the idea has worked well. However over-keen vendors have started selling this technology to enterprise customers too. The need to sell value-add in an effort to add market share has arguably driven the desire to promote the technology in ways not intended in the the original design.
So Private VLANs are now a security mechanism. Isolate your servers in their own mini-VLANs and a hacker who violates one server can’t use it as a jumping off point to all the rest in that subnet.
At a basic level that might be true, but it wasn’t designed from the ground up as a security feature, so should not be thought of as such. We don’t think of basic VLANs as all that secure, so why private VLANs? Okay, VLANs do add a level of security by their very nature, but that is not their prime focus, and if that’s all the security you have in your network, I’d be worried. Similarly with these. A level of security, yes—just be aware of where that level is.
For instance, they are vulnerable to spoofing. A packet sent from a server on an isolated port to another server on another isolated port will not be passed by the switch, true. However, a packet sent from a server to the MAC address of the default gateway will be passed through the switch. If at an IP layer, it’s addressed to another ‘isolated’ server, the router will pass it — it has no reason not to. You need access lists as a minimum, or better, firewalling, to protect against that.
Private VLANs are without doubt a useful tool to have at hand. However they are not a security panacea, and the main danger they pose is in pretending that they are.