Republished with permission from
WatchGuard Technologies, Inc.
Using Virtual LANs to Get More from Your Firewall
by Lisa Phifer, Vice President, Core Competence, Inc.
Most firewall appliances provide an external (public) interface, an internal (private) interface, and an optional (DMZ) interface. Binding firewall policies to these physical interfaces is a proven approach that meets the needs of many small-to-medium-sized businesses.
However, as your network grows, firewall rules become more complex. Workgroups within your company may require different applications or permissions. As unique requirements accumulate, implementing changes for one group without affecting others becomes a challenge. Eventually, solving this challenge requires a more modular approach.
Virtual LANs (VLANs) break apart large networks into smaller pieces that are easier to maintain. VLAN tags have long been implemented by Ethernet switches for more efficient LAN operation. Extending VLANs into your firewall takes this modularity to the next level. Instead of binding firewall policies to physical interfaces, VLANs can bind policies to virtual interfaces, maintaining independent rules for each logical workgroup.
This article explains VLAN technology, then shows how that technology is integrated into WatchGuard's Vclass Fireboxes.
In a traditional Ethernet LAN, stations connected to the same switch share a domain. In this domain, every station hears broadcast frames transmitted by every other station. As the number of stations grows, so does contention and broadcast traffic overhead. At some point, the Ethernet becomes saturated. To operate efficiently, the LAN must be decomposed into smaller pieces.
You can accomplish this by physical segregation -- connecting one set of stations to switch A, another to switch B, with uplinks to separate router or firewall ports. But throwing more hardware at the problem is expensive and doesn't scale.
VLANs provide logical isolation instead of physical segregation. A VLAN is a set of stations that are treated as one broadcast domain. Stations in VLAN #1 hear other stations in VLAN #1, but do not hear stations in other VLANs, including those connected to the same switch. This isolation is accomplished using VLAN Tagging.
A VLAN tag is a four-byte Ethernet frame extension that carries a priority (1-7) and an identifier (1-4096). VLAN-enabled stations can apply explicit tags. More often, implicit tags are added by VLAN-enabled switches, based on arrival port.
For example, a switch may be programmed to know that ports 5, 3, and 2 belong to VLAN #1; ports 7, 6, and 4 belong to VLAN #2. The switch pushes arriving broadcasts to all ports in the same VLAN, but never to members of other VLANs. A single switch configured to support two logically isolated VLANs is shown in Figure 1.
Distributed VLANs can span several switches, grouping stations from different floors or buildings into a single broadcast domain. The IEEE 802.1Q protocol relays VLAN traffic over "trunks" between switches that support the same VLANs, as shown in Figure 2.
For example, when switch A receives a frame on port 7, it applies a tag for VLAN #1. The switch pushes that frame to local ports in VLAN #1 and across the trunk to switch B. Switch B interprets the tag and pushes the frame through its own local ports in VLAN #1. Frames for multiple VLANs are multiplexed across one 802.1Q trunk between these switches. However, frames cannot flow between different VLANs without leaving OSI layer 2 and passing through a layer 3 forwarding device -- a router, firewall, or layer 3 switch.
Isolated VLANs break large LANs into smaller parts. In contrast, distributed VLANs make it possible to define broadcast domains that optimize traffic flow in larger networks. Frames between stations in the same VLAN can be switched very rapidly in hardware at layer 2, without hitting a router or firewall. Thus, network administrators often arrange VLAN membership by organizational units -- stations that frequently communicate with each other.
Non-routable protocols cannot spread beyond a broadcast domain. For example, when stations in a Windows LAN broadcast to advertise that shared files and printers are available, that broadcast can only reach other stations within the same domain. In contrast, VLANs can deliver these broadcasts to devices that need them, even if those devices are not on the same physical wire, while stopping the broadcasts from traveling to other devices where they are unwanted.
Thus, if all the marketing folks in your company need to see the same file shares, but those marketing folks are spread across different floors of a highrise, tagging allows you to create a virtual LAN that acts as if all the marketing computers are local to one another. VLANs extend the performance and visibility characteristics of a physical LAN to any set of stations, independent of location. VLANs can also give one workgroup preferential treatment over another at the switch. Members can be added or dropped by reconfiguring switches instead of patching cables in a wiring closet. These are just a few of the benefits of using VLANs to segregate traffic at layer 2.
How VLANs Are Used in Firewall Appliances
VLANs are a good way to optimize Ethernet frame switching at layer 2. However, switches require a layer 3 forwarding device to route traffic between VLANs. That's where your firewall comes in.
802.1Q-enabled routers (and layer 3 switches that operate as routers) can forward traffic among different VLANs. Router access control lists (ACLs) can permit or deny packets between VLANs, but such packet filtering is not robust security. To assert stronger control over VLAN-tagged traffic as it enters or leaves a broadcast domain, use a firewall with 802.1Q support.
A VLAN-enabled firewall and switch communicate over an 802.1Q trunk. The switch forwards tagged packets to the firewall. The firewall classifies packets, taking into consideration the tags in combination with other fields like protocol, IP address, and port. It then takes the appropriate action, based on firewall policies. In this way, you can be certain that VLANs do not circumvent security policies implemented at the firewall.
You can leverage the VLAN tag to get more out of your firewall. Without VLANs, you may have created complex policies based on many IP subnets or individual hosts. With VLANs, you can define policies based on VLAN tag. Such policies may be easier to administer and faster to process.
Without VLANs, you may have been forced to give each organization its own dedicated private or optional firewall interface. With VLANs, you can use a single firewall interface to create private subnets for several independent organizations. The physical interface plus a VLAN tag identifies a virtual interface. Like a physical interface, a virtual interface has its own IP address and firewall policies. The virtual interface is connected to a VLAN that has its own subnet address. But other virtual interfaces are connected to other VLANs, even though they share the same physical interface. If you define policies correctly, changes for one VLAN need not impact policies already in place for other VLANs.
In an enterprise network, individual organizations can establish their own subnet addressing and security policies, supported by common physical infrastructure (cabling, switches, firewall). Building owners and managed service providers can offer secure network access to multiple tenants, keeping private traffic segregated in a more cost-effective and scalable manner. ASPs and co-location data centers can host server farms for many customers, protected by the same high-availability firewall.
WatchGuard Vclass VLANs
Today, most enterprise-class Ethernet switches support 802.1Q VLAN tagging. VLANs are also supported by products like server-class Fast Ethernet NICs and enterprise-class wireless LAN access points. VLAN support is less pervasive in firewalls and routers. Entry-level firewall appliances usually do not support VLAN tagging, but a growing number of enterprise-class firewalls do.
WatchGuard Firebox Vclass V100, V80, and V60 firewalls support 802.1Q VLANs. On the V60 and V80, each 802.1Q trunk operates over 10/100 Fast Ethernet. On the V100, 802.1Q runs over a 1000BaseSX Fiber Gigabit Ethernet trunk. Each firewall can support 802.1Q tagging, routing, and authentication for up to 200 VLANs (except the V60, which supports 10 VLANs).
Managing Your Vclass VLAN
Tapping the power of VLANs in your Vclass is easy if you already segregate your Ethernet traffic. If you don't, determine whether your Ethernet switches support 802.1Q, then segregate your LAN into logical workgroups appropriate for your business. Only after you have implemented VLANs at layer 2 can you implement VLAN-aware policies and VLAN trunking between your Vclass Firebox and your switch.
To implement VLAN-aware policies on your Vclass:
Your Vclass will now classify arriving packets based on the tag and other fields identified in your policy (source, destination, service, schedule). It will take the action specified (pass, block, reject, authenticate, IPsec, dynamic NAT, server load balance, or mark Type of Service). Any action you could apply before you employed VLAN tagging is still available, but now you can apply actions with finer granularity. For example, instead of granting all hosts outbound access to the same TCP/UDP ports, you can give tenant AAA access to one service group and tenant ZZZ access to another service group (see Figure 3).
Packets sent by the firewall through the 802.1Q trunk are tagged so that the switch knows which VLANs should receive them. But packets which the firewall's policies direct to a VPN tunnel, do not get tagged. VLAN tagging only has context and meaning within a local setting (even if "local" is an entire campus), and a VPN to a branch office would not normally be "local." The Branch Office (BO) firewall on the far end that terminates the VPN tunnel and decrypts the packets can apply whatever VLAN tagging is appropriate according to policy at that site, but it does not have to be VLAN-aware. Though VLAN tagging is not used across a VPN tunnel, the firewall at headquarters can use VLAN tagging to direct traffic to the proper VPN tunnel. VLAN tags can be used to direct Engineering traffic to one tunnel, and Marketing traffic to another tunnel (see Figure 4).
When combining VLANs with firewalls, keep in mind that some other device (usually a switch) is asserting VLAN membership by tagging frames. The firewall must trust that device to forward correctly and prevent tagged frame injection. It is therefore important to ensure the security of the switch -- for example, put the switch in a locked room, disable unused ports, use only secure remote administration, and apply all security patches available for your switch. Place the 802.1Q trunk in a different VLAN than user traffic and configure the firewall's MAC address into the switch's ARP table. Don't let an unsecured switch become a weak link in your firewall's armor.
VLAN tagging can make your network more scalable, and help you leverage your hardware investment. Larger enterprises and service providers can add VLAN-enabled firewalls to apply more granular security policies. By logically segregating tenants, customers, and organizational units into easily identified VLANs, firewall policies can be made simpler and easier to maintain. ##
Copyright© 2002, WatchGuard Technologies, Inc. All rights reserved. WatchGuard, LiveSecurity, Firebox and ServerLock are trademarks or registered trademarks of WatchGuard Technologies, Inc. in the United States and other countries.
Copyright © 1996 - 2002
WatchGuard Technologies, Inc. All rights reserved.