The VLAN (Virtual Local Area Network) is an important tool in the IT toolbox. By emulating the properties of a Local Area Network, you can segment users into any number of virtual networks and apply policies to swaths of users simultaneously.
Using VLAN to organize users into groups of varying levels of permissions is a vital part of maintaining network security. Restricting access to only the people that absolutely require it is a fundamental tenet of all security, not just cybersecurity. Even today, extremely sensitive data is stored on servers protected by a physical LAN that is air-gapped from other networks. VLAN accomplishes a similar goal, albeit with compromises to security in the name of convenience.
VLAN steering is a term that describes the various processes by which users are sorted into the VLAN most appropriate for their permissions. It’s a function usually performed by a RADIUS server, but not every RADIUS on the market has VLAN steering capabilities.
Why Use VLAN Steering?
The default state of an IT network is sometimes described as “flat”. Everyone who accesses the network can access any resource (files, applications, services, etc.) stored on the network. Sensitive resources on a flat network have to be protected at the resource-level by additional logins or a similar solution.
That’s obviously not great from a security perspective. VLAN arose as the natural solution for a few reasons.
- People shouldn’t have access to resources that they aren’t authorized to access
- It’s simpler to set permission levels for a handful of groups than it is to set permission levels for each person individually
- Compartmentalizing sensitive resources into separate servers makes them easier to protect
Networks with multiple VLANs can be described as “tiered” instead of “flat”. That doesn’t imply, however, that there is necessarily a hierarchy of servers where higher tiers encompass all of the resources of lower tiers. Developers might have access to sensitive customer data, but they don’t need to be able to access the company’s payroll system. Likewise, the CFO might technically have the authority to look at source code for their SaaS product, but since there’s rarely a need they shouldn’t have the appropriate credentials.
How Does VLAN Steering Work?
There are several ways to handle it, but in a typical WPA2-Enterprise network, it goes something like this:
- User requests authentication to the network.
- The RADIUS server checks the associated directory to confirm the credentials of the user to ensure they are authorized to access the network at all.
- Secondarily, user attributes like VLAN assignment or other group policies are sometimes stored in the user entry of the directory.
- If the user is authorized, the RADIUS authenticates the user and tells the access point to grant the user access.
- If there were additional instructions, such as VLAN assignment, the RADIUS communicates them at this time.
As you can see, the actual act of VLAN steering itself is not overly complicated or particularly interesting. The real challenge lies in onboarding users and assigning them to the appropriate VLAN; ideally in an automated fashion.
VLAN Onboarding and VLAN Steering Solutions
VLAN steering only works if you can accurately assign VLANs to each of your users. That’s easy to do manually with a handful of users, but enterprises with thousands of users need an automated solution.
Onboarding is our specialty here at SecureW2. That’s why we have the #1 rated onboarding app in every app store. Our device onboarding solution allows you to push configuration packages to managed and BYOD devices to start a guided self-enrollment process that allows the end-user to use their existing credentials to enroll themselves and their device. From there, it’s easy to assign VLAN attributes.
Now is a particularly good time to choose SecureW2 for VLAN steering because we have just released the next step in RADIUS technology – dynamic policy enforcement in real time. Our Cloud RADIUS server can make runtime-level policy decisions based on attributes stored on digital certificates or in the user directory (even cloud directories like Okta, Azure, and Google). This technology actually enables VLAN steering earlier in the authentication process, potentially preventing more advanced methods of unwanted entry to the network.
Want to learn more about our Dynamic RADIUS and how to protect your network with VLAN steering? Talk to one of our experts today.