VLANs do not equal network security
In a recent discussion about network security, I had a [relatively inexperienced] network administrator make a comment that security between networks can be achieved with VLANs. As most of us know, VLANs do not equal network security – but it made me wonder why she came to that conclusion, after all she was a smart person who did not normally just take advice blindly but instead wanted to understand the concepts. I was concerned about the root of this misconception – and it was not the sort of misconception that comes from “drinking the cool-aid” of blindly following one vendor’s marketing over all common sense (which some engineers tend to do).
It is not just this belief / partial knowledge on VLANs that seems to keep going, others false security beliefs I have heard before include;
- We have a firewall, so we don’t need anti-virus software
- Or, we have anti-virus software so we are protected from ransomware and other risks
- We do backups, so we don’t need disaster recovery plans
- Cloud security is inadequate or incapable
- We use Linux or Mac desktops, so we can’t be hacked or get viruses
- Or, we are too small/obscure for a hacker to want to attack us
I bet many of you have heard (or shock, horror, said) these phrases before.
So, I was wondering why there are so many misinterpretations around security, and I came up with an interesting conclusion;
Most security technologies and approaches are only part of an overall protection
So, back to VLANs – the confusion that the net admin had comes from the fact that VLANs are often used in conjunction with firewalls based on subnets with associated routing and network subnets being used as delineations of security zones.
It’s like the view that firewalls protect from viruses – a focus on one part of the solution being the only required part.
So, just to bang on about this – VLANs are not security in themselves, but in the toolset of steps to be used for security.