In a new article published on InformationWeek, James Gudeli, a VP at Kerio Technologies, spoke about how VLAN, or virtual local area network, can be used by SMBs to get a better handle on security. This is done by taking advantage of what VLAN offers to segment the network and limit the damage in a security breach.
As its name suggests, a VLAN allows a system administrator or security manager to create multiple virtual channels that are piped through the same physical network. Each VLAN functions in isolation and offers segregation between networks without SMBs having to commit to hefty infrastructure upgrades. Indeed, routing instructions are typically required to merge different VLANs together.
Of course, there are some downsides that I shall address below. Let’s take a look at its benefits first, though.
As shared by Gudeli, a separate VLAN ID can be used to identify devices connected on the guest network. Separate filtering policies can be applied on them, including ensuring that devices on this guest network cannot interact with internal resources such as the file server, intranet or network printer.
Moreover, groups of users can also be segmented by departments or roles even if they’re side by side in the office. The accounts department, for example, could be separated from the sales department, while the PCs used by data entry staffers could be kept in their own virtual network. I’ve previously written about using VLAN tagging with guest networks in Wi-Fi deployments, which you can read in “Building a Wireless LAN for Your SMB.”
And given that VLANs were originally designed to preserve the quality of service on networks, it can be used to ensure that time-sensitive services such as VoIP and videoconferencing services are allocated with sufficient bandwidth, too.
Increased Cost, Complexity
For all the benefits of VLAN, I don’t agree with all the arguments for its viability in all small businesses and SOHOs. Gudeli talked about how small businesses will not be willing to commit to multiple network switches, alluding to how a single switch is a most cost-effective approach. However, this argument ignores the fact that not all network switches necessarily support VLANs. For example, the HP 2915-8G-PoE switch that I reviewed last year will work fine, though it is priced substantially higher than a basic Layer 2 network switch.
Moreover, though setting up a VLAN is hardly rocket science, it adds an inevitable level of complexity that is likely to confuse your typical “let the most techie employee set it up” approach adopted by many small businesses. For example, wiring up two devices to the same network switch with VLAN enabled does not necessarily allow them to communicate. In this vein, a misconfigured network may engender a false level of security that causes more harm in the long run.
Ultimately, I would encourage SMBs to utilize VLANs to increase their level of security without having to make extensive changes to the existing infrastructure. Of course, this option does incur a higher cost and an increase in complexity.