If there is one constant in the IT industry, it is innovation. Every year, advancements in technology - whether hardware, software, or both - have translated into myriad opportunities for channel partners. Given the pace of progress, partners may overlook new reasons for implementing old technologies. However, a virtual local area network, or VLAN, is one tried-and-true technology that can deliver new benefits beyond its original intent - and in the process provide channel partners with new sources of revenue.
VLANs have been around for years and were originally designed to improve network performance by segmenting and prioritizing traffic. VLANs involve partitioning a single layer-2 network via switches into separate isolated segments; packets flow from one segment to another through routers. The original premise: “Using VLANs to segment networks into smaller domains could eliminate many traffic issues,” says Tom Olzak, a security researcher for the InfoSec Institute, a training company, and instructor at the University of Phoenix who is based in Las Vegas.
That purpose worked well for a time, but as the volume and variety of traffic on computer networks has increased, VLANs often can't impact performance as readily. “The problem today is with the switches that we have,” contends Olzak. “If a network segment is having a problem with traffic, the switch is probably having the same problem, so using a VLAN to get better network performance is not such a big driver now.”
That's not to say that VLANs can't still be used to improve performance. For companies that use VoIP, VLANs can be instrumental in ensuring overall network performance. “The VLAN can be used to segment voice traffic exclusively, which is a best practice,” says David Olzak (son of Tom Olzak), director for Presidio, a provider of managed IT services based in Greenbelt, Md. As David Olzak explains it, voice is a critical application, “and as soon as you put it on a network it becomes just like any other critical application companies use to run their business.”
Unlike a data application such as an ERP system, for example, voice requires real-time communications and therefore can't be retransmitted. A number of different scenarios can put stress on network performance such as “bursting” traffic, cloning requiring real-time PCs, updates pushed out to desktops, a denial-of-service issue, or a malfunctioning application. In these situations, all traffic is going to infringe on voice traffic and vice versa if it is on the same network.
However, David Olzak cautions that VLANs themselves can only go so far. To improve network performance, “segmenting traffic is the number one thing to do with a VLAN,” he says, “but if you're not doing some sort of quality of service [QoS] on both the LAN and the WAN, then you may not experience better quality of performance.”
Traditionally, QoS is administered by the switching or routing environment, and is built right into switches that support VoIP phones. “If you have a switching environment that is not QoS capable, then investing in VoIP probably isn't the best fit,” David Olzak says. “Using VLAN and segmentation along with a switch or router that has QoS capabilities is where you get the improvements.”
There are other benefits of VLANs. One area where they are particularly useful is in a BYOD environment. As users connect to a corporate network with their own devices, administrators need more control over where those devices are allowed to go. “Traditionally, with role-based or mandatory access control, companies don't have the kind of control over data that is needed with BYOD,” Tom Olzak explains. “What we need to do today is move the perimeter from where it has traditionally been - at the data center or around network segments - to the data itself.”
James Gudeli agrees that VLANs are a natural fit for BYOD. Gudeli, vice president of business development at San Jose, Calif.-based Kerio Technologies Inc., a provider of IT infrastructure solutions, notes that VLANs are all about the device that is connecting and how it is identified by a server. “If I access a network with my iPhone,” he says, “the VLAN address determines my identity and I can have segregated access to whatever I need on the network, while being restricted from going to places where I shouldn't go.”
To allow BYOD in a way that is safe yet convenient, it's necessary to decipher who is accessing specific data, what particular device that individual is using, and the role that a certain user has within the organization. Such a policy-based approach to data access is facilitated by VLANs that can segregate finance department data, for example, from HR department data. “By segmenting the network, it's possible to control where both a device goes and where traffic goes,” Tom Olzak adds.
Segmenting the network with VLANs can also enhance overall security “through the ability to group servers and workstations together based on data classification,” Tom Olzak says. One approach for achieving this is to put all the financial department servers and employees on one VLAN; establishing access control list rules would prevent anyone else from accessing that VLAN. (An access control list can be put on layer 2 to control what goes into a VLAN on that level, or on layer 2 to control what gets routed from one VLAN to another.)
Another approach: Put the finance department along with relevant application servers on the same VLAN and then put database servers on a separate VLAN. This latter approach, says Tom Olzak, is a best practice for security because “access control lists prevent users from reaching databases and instead force access through the application servers.”
For additional security, Tom Olzak recommends creating a security zone. “Even if a packet makes it through an access control list to a restricted database server on a VLAN, set things up so it still passes through a unified threat management device where it can be scanned by an intrusion prevention system and deep packet inspection,” he says. Add to that the ability to monitor network traffic going in and out of VLANs to identify unusual data patterns that may indicate an attack. “If an attacker gets on the network, access control lists limit where that person can go, and setting up security zones help strengthen overall security,” he adds.
As Gudeli sees it, VLANs are now deployed at much smaller businesses, which can be advantageous to channel partners. “A lot of VARs and MSPs are going to want to adopt VLANs because they make it a lot easier to manage networks remotely,” he says. It's possible to set up a very basic physical infrastructure, then use VLANs to make it more robust. “It's easier to manage remotely with VLANs because you don't have to physically visit a site to plug devices in here and there; the VLAN does that grouping for you.”