VLAN as an additional layer of security

Each company has employees who process a large volume of correspondence from outside. Personnel officers, PR managers, sales people … In addition to normal emails, they receive a lot of spam, phishing messages and malicious attachments. Moreover, by the type of activity they have to open unverified attachments and follow links from unfamiliar letters. Information security professionals typically isolate such departments from critical nodes on the corporate network. But in companies where there is no dedicated security guard, they continue to pose a risk to other employees. We tell you what to do with it.

LAN segmentation

One of the most effective ways to protect the units that work with critical information from the risk of infection is to split the corporate network into several autonomous subnets. Segmentation allows you to isolate individual computers or groups of computers from other devices.

In a good way, all potentially dangerous departments should be physically isolated. That is, install several routers and use them to divide the corporate network into several separate subnets. However, here we are faced with serious shortcomings: firstly, additional equipment means additional costs, and secondly, making changes to the already built network infrastructure is always a pain for system administrators.

An alternative and simpler option is to use virtual VLANs. That is, without changing equipment, organize several logical networks on the basis of one physical network. They are configured programmatically, which means that you do not even need to change the cabling.


Most often, VLAN technology is used to combine computers connected to different physical routers into a single subnet (for example, machines located in different offices). However, from the point of view of information security, it also has many advantages. It not only allows you to protect the device of one subnet from unauthorized access from another, but also facilitates the management of security policies, allowing you to apply these policies to the whole subnet, and not to individual devices.

To fully utilize VLAN, you will need any professional-grade network equipment. However, now the technology is also supported by some household routers, in particular Keenetic.

Not only a segmentation …

Of course, the use of virtual local area networks is not a panacea. So you just minimize the chances of infection of critical nodes. The departments of the “risk zone” themselves do not protect this at all. Therefore, for fidelity it will not be amiss:

  • Improve your employees’ knowledge of information security and regularly remind them to be wary of suspicious emails.
    Regularly update software on workstations, networks, and other devices so that attackers cannot penetrate your infrastructure through long-known vulnerabilities.
  • Use reliable protection solutions for workstations and servers that recognize and neutralize malware and resources.