Isolated VLANs: Use sparingly or common practice?

When does it make sense to use an isolated VLAN? IT pro Rick Vanover showcases some criteria that can be used to determine when to clip any links to other networks.

When it comes to designing a network, server administrators and network administrators may not always see eye to eye on what needs to be provided. I mentioned in a previous blog how security zones are key to designing effective networks, but what about fully isolated VLANs?

Security zones can be made by putting network firewalls up in front of a network that is routed or by using a slew of operating system approaches. Two of the most popular practices would be to use IPSec rules or a firewall (such as Windows firewall) on the operating system within the security zone. Yet another approach to protecting the security zone is to make the VLAN fully isolated.

A fully isolated VLAN, in most situations, is Layer 2 (L2) connectivity without access via a route to devices on other TCP/IP networks from the network switching perspective. A fully isolated network can be set up with dedicated interfaces and switching, but in many cases this becomes cost-prohibitive and difficult to obtain the required ports. For a fully isolated L2 VLAN, I’ve found a number of configurations that make sense for this level of protection.

The primary use case is for systems that have multiple interfaces to which you can dedicate certain roles to the security zone associated with the fully isolated VLAN. Of course, there are risks and concerns associated with a system connected to multiple security zones. It is important to make sure there is no bridging or routing functionality provided by these systems, or the effort becomes moot.

Practically speaking, if a specific role is configured to only use the dedicated interfaces, this practice will satisfy most situations. One frequent use case for an isolated security zone is to protect data in motion for virtual machine migration. For VMware installations, this best practice post outlines how to protect the unencrypted nature of virtual machine migration. Other use cases are easy to find, basically protecting against any man-in-the-middle style attack. The issue becomes whether or not to route these L2 networks to other resources on the larger network environment.

How frequently do you use fully isolated L2 VLANs? Are they too far of a step to go to protect certain tiers of traffic? Share your comments below.