What are the security implications when using subnets as opposed to VLANs for segmenting an enterprise network? We have strict security requirements surrounding the data we handle and need to ensure that machines allowed to access these data are locked down and isolated from the rest of the network.
I understand that conceptually, VLANs allow for OSI level 2 isolation whereas subnets allow for level 3 isolation by firewalling traffic based on port and source and destination IP. However, I'm unsure of what the practical implications of this is from a security standpoint. I have a few specific follow-up questions:
- Are there attacks (like ARP poisoning or MAC flooding) that can cause traffic to be diverted to or read by a malicious entity within a different subnet (even if the firewall would block that traffic normally) that wouldn't affect a system segmented by VLANs?
- Would traffic typical of data analysis tasks, such as between a machine and a cloud database, be readable by a malicious entity within an unauthorized subnet due to the entire networking being in the same broadcast domain?
- Are there any complications or security callouts with using a VPN to access a cloud environment in either setup?
Best Answer
Subnets are the IP stacks way of determining what hosts are "assumed to be on link". If an address is in the same subnet traffic will be sent directly, otherwise it will be sent to a router (by default).
VLANs are a method for splitting a physical Ethernet network into multiple virtual Ethernet networks.
If you put hosts with different subnets on the same unpartitioned Ethernet network then IPv4 unicast traffic (and possibly IPv6 global unicast traffic depending on how you set up IPv6 routing on the clients) will by default flow via the router where it can be firewalled. However.
If you want your L3 firewall to provide more than the illusion of seggregation then you need to split up the L2 network, either physically or virtually.