Internal Network Security Made Easy

According the 2004 CSI/FBI Computer Crime and Security Survey, 66% of organizations suffered an insider attack in 2003. Most companies are still vulnerable to worm outbreaks, internal hacking, and misuse of business applications. Fast-spreading worms are particularly problematic, severely impacting productivity and creating financial loss related to exhaustive recovery and clean-up.

To reduce the risk of internal attacks propagating across your network, it is often a good idea to segment your network into several sub-networks.

By providing full VLAN support, Embedded NG 5.0 allows you partition your network into several virtual LAN networks (VLANs). A VLAN is a logical network behind the Embedded NG gateway. Computers in the same VLAN behave as if they were on the same physical network: traffic flows freely between them, without passing through a firewall.

In contrast, traffic between a VLAN and other networks passes through the firewall and is subject to the security policy. By default, traffic from a VLAN to any other internal network (including other VLANs) is blocked. In this way, defining VLANs can increase security and reduce network congestion. For example, you can assign each division within your organization to a different VLAN, regardless of their physical location. The members of a division will be able to communicate with each other and share resources, and only members who need to communicate with other divisions will be allowed to do so. Furthermore, you can easily transfer a member of one division to another division without rewiring your network, by simply reassigning them to the desired VLAN.

Embedded NG 5.0 supports two VLAN strategies - port based and tag based VLAN.

What is Port-based VLAN?

Port-based VLAN allows assigning the appliance's LAN ports to VLANs, effectively transforming the appliance's four-port switch into up to four firewall-isolated security zones. You can assign multiple ports to the same VLAN, or each port to a separate VLAN.

The advantage of port based VLAN is simplicity – no external hardware is required other than the Embedded NG gateway. On the downside, only four port based VLANs can be used – one for each of the four LAN ports of the Embedded NG gateways. For more complex network segmentation, enter the world of Tag Based VLANs.

What is Tag-based VLAN?

Tag based VLANs allow a group of devices on different physical LAN segments to communicate with each other as if they were all on the same physical LAN segment. 

In tag-based VLAN you assign the DMZ/WAN2 port of the gateway to act as a VLAN trunk, connecting the appliance to an external VLAN-aware switch, which supports the 802.1Q standard. Each VLAN behind the trunk is assigned an identifying number called a “VLAN ID”, also referred to as a "VLAN tag". All outgoing traffic from a tag-based VLAN contains the VLAN's tag in the packet headers. Incoming traffic to the VLAN must contain the VLAN's tag as well, or the packets are dropped. Tagging ensures that traffic is directed to the correct VLAN.

Embedded NG 5.0 allows up to ten Tag based VLANs to be deployed, in addition to up to four port based VLANs.

Supported Platforms

VLAN is supported by the following appliances: VPN-1 Edge X series and Safe@Office 225, 225U, 425W, and 425UW.

Firmware 5.0 or later is required.

To obtain the latest firmware please connect your appliance to a service center. You must have a valid support plan to get software updates. Additional information on how to purchase a support plan can be found here.