S 5.62 Suitable logical segmentation

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrators

With the help of appropriate network components, it is possible to segment a network logically even if a fixed physical segmentation is already in effect. This can be achieved using switches which operate on layers 2 and 3 of the OSI model. As these switches recognise the protocols used on layers 2 and 3, virtual LANs (VLANs) can be formed by controlling the data flow between the switch ports. This makes it possible to create network groups which are not mapped as such by the physical segmentation. In particular, this allows a quick and dynamic formation and rearrangement of groups without any modifications to the physical layout of the network. As in the case of physical segmentation on layers 2 and 3, criteria concerning confidentiality, availability and integrity are also to be applied here. Criteria for suitable logical segmentation can be applied similar to the criteria for physical segmentation.

The following illustration shows one possibility of forming a VLAN with the help of several layer-3 switches. The physical links between the stations and the switches are represented by the connecting lines. Logical segmentation is performed through grouping into VLANs using switches.

Figure 1: Formation of VLANs using several switches

If the VLAN structure shown in Figure 1 were to be achieved by means of a conventional physical segmentation, the layout shown in Figure 2 would be the result. The individual LANs can be mapped here by means of shared Ethernet segments, for example, and linked together with a bridge.

Figure 2: Physical segmentation in compliance with Figure 1

On the basis of VLAN-compatible network components, virtual LANs can be formed without any physical restructuring. In accordance with the technologies used, these VLANs are created through segmentation on layers 2 and 3. Like LAN segmentation, this allows a network to be separated into areas where high demands are placed on the confidentiality of data, for example (refer to S 5.61 Suitable physical segmentation). Depending on the product in use, different functions are available for the formation of VLANs. Some products allow the formation of VLANs on layers 2 and 3, which can only be coupled by means of routers (and are thus termed secure VLANs). In this case, filter rules need to be defined for the router in order to ensure controlled transmissions between the individual VLANs. Other manufacturers even implement a routing function in layer-3 switches, which allows VLANS to be linked without the need for additional routers. In particular, the intended technologies and products must be checked to determine whether they fulfill requirements concerning the confidentiality and integrity of data.

Figure 3: Formation of secure VLANs with layer-3 switches

In this case (Figure 3), layer-3 switches are used to configure secure VLANs on layer 3 of the OSI model. The switches illustrated here do not have a routing function. VLAN 1, VLAN 2 and VLAN 3 operate as though they have been segmented by means of a router, although no routing takes place between them. In other words, VLAN 3 is not linked with any of the other VLANs; only VLAN 1 and VLAN 2 can communicate with each other via a router. Communications can be controlled by configuring the router in the required manner. Other products which implement a routing functionality in the layer-3 switches eliminate the need for the displayed router, and allow routing with the help of the switches.

A general recommendation concerning logical segmentation cannot be made. During the installation of a new network however, a check must be made as to whether VLANs would help fulfill requirements concerning availability, confidentiality and integrity more easily than a more elaborate physical segmentation.

One advantage of logical segmentation is the easy and central configuration of new segments and reconfiguration of existing ones. Particularly in the case of products which support secure VLANs, this allows a quick and easy formation of workgroups in the network, which fulfill the high requirements concerning the confidentiality of each workgroup's data. On the other hand, secure remote access to the active network components also requires particular attention in this case, as segmentation here is only based on software configurations. During logical segmentation, a balance therefore needs to be struck between the security requirements of the network (also as regards protection against unauthorised reconfiguration) and the need for flexible reconfiguration of the network.

Additional controls:

• Are the network components in use VLAN-capable?

• Has the network been segmented logically in a suitable manner?

• Are the network components in use interoperable in term of VLAN functionality?

• Are the active network components protected against remote access by unauthorised administrators?

• Have requirements concerning availability, confidentiality and integrity been ascertained and taken into account?