VLANs Are Not Sufficient for Network Segmentation

 

When I ask how IoT devices are segmented, the common response is that these devices are placed in a separate VLAN. However, upon further investigation, it often becomes clear that no additional security measures are in place beyond VLAN segmentation.

Placing devices in their own VLAN is a good starting point, but it’s not the whole story. VLANs segment traffic at layer 2 (Ethernet, MAC address), which helps to constrain broadcasts and multicasts. For devices to communicate outside their VLAN, they need to use TCP/IP. Devices with IP addresses will have a default gateway, which is typically the IP address associated with the VLAN on the campus core or distribution-layer switch.

To summarize, devices within a VLAN use TCP/IP to hit the default gateway, which then routes traffic to the rest of the network. The problem is this: without any further protection mechanisms, the path between the IoT VLAN and the rest of the network is wide open. In this way, VLANs alone cannot enforce proper segmentation.

So, how does one properly segment devices in a campus environment? There are several options available, which vary in efficacy and cost.

Access Control Lists (ACLs): Access control lists can be found in different forms and may not be supported by all manufacturers or device types. Static ACLs are easy to create and apply but need regular review and updates to maintain efficacy. Static ACLs are difficult to keep synchronized across large networks without scripting or automation. Here are some examples of ACLs that may be available to use:

- IP ACLs: Applied to a layer 3 interface, filtering traffic at the IP address level.
- VLAN ACLs (VACLs): Applied to a VLAN interface, filtering IP addresses or MAC addresses.
- Port ACLs (PACLs): Applied to a specific layer 2 port, filtering IP addresses or MAC addresses.
- Dynamic ACLs: Applied to devices that authenticate via RADIUS (i.e., dot1x authentication) and enforced by the switch or wireless access point that the device connects to.

 

Firewalls: Instead of sending all traffic to a core/distribution layer 3 switch, you could send it to a firewall instead. Each VLAN would be tied to a separate firewall zone, and the firewall rules would determine how the different zones are allowed to communicate with each other. Firewalls offer better security and traffic inspection capabilities than ACLs created on switches, but they can be expensive and potentially limit network performance if not properly sized.

 

Network Fabrics: Most network equipment manufacturers have developed campus ‘fabric’ solutions that can enforce segmentation by encapsulating traffic in special packets and securely transporting them from source to destination independent of IP address or MAC address. These platforms typically enforce group-based permissions that might, for instance, allow IoT devices to communicate with servers in the Facilities group but not in the HR or Finance groups. Examples of campus fabric network solutions include Cisco’s SD-Access, Juniper’s Campus Fabric, Extreme’s Fabric Connect, and Fortinet’s Security Fabric. A campus fabric will require a ‘gateway’ for traffic to exit the fabric, and most platforms will recommend that the gateway be a firewall. While these solutions enable excellent network security, they tend to be somewhat difficult to deploy—especially when integrating with non-fabric networks—and may require end-to-end infrastructure from the same manufacturer. Note that campus fabric solutions are usually separate from data center fabric solutions, which might leverage different network topologies and protocols.

 

 

Figure 1: Example of Cisco's SD-Access segmentation

 

Isolated Networks: This is an extreme solution, but one that is effective at preventing specific equipment—such as IoT devices—from accessing the rest of your network. The idea is to place the isolated devices on their own network infrastructure with a separate Internet connection and firewall. A VPN can be used to remotely manage the equipment. For many organizations, this solution is not practical or worth the added expense, but critical infrastructure organizations like utility companies, municipalities, and healthcare can and do make use of this technique.

As we can see, there are several options for segmenting traffic within a campus network, but VLANs alone are insufficient. There must be another mechanism in place to permit or deny traffic between your VLANs. While the various solutions represent trade-offs in security, cost, and complexity, it is my opinion that any solution is better than no solution. History has shown that IoT devices are susceptible to attacks due to lack of firmware updates or zero-day vulnerabilities, and if your network allows free access from your IoT VLAN to the rest of the network, then it’s just a matter of time before a breach occurs.