 Tommy here from Lawrence Systems, and should you be putting your Unify network devices on a management VLAN separate from VLAN 1? There will be plenty of discussion Undoubtedly in the comments below about people say this is an imperative and it must be done according to the Well overlords at Cisco who said this is the way to do it who came up with some of these practices And they are some good practices will get into the details of it shortly but they say this because Back in the earlier days in you had a management VLAN They were things going around in telnet and plain text and easily sniffable That's less the case now matter of fact ubiquity was designed much after Telnet and a much different architecture meaning they had the foresight to understand that these were going to be controlled with the Controller system often hosted remotely externally from the location of the device as in transported across the internet that means that the Negotiation and the management traffic that goes back and forth is Completely encrypted and therefore if it's going over the internet it can also go on VLAN 1 But there's still some good reasons you may want to change it or may want to leave it the same We're gonna talk about the pros and cons of some of the security implementations of where you put it and what the threat surface Looks like based on that and basically show you how to do it because it's relatively easy to do provided You have things set up properly before we dive into details of this video Let's first are you an individual or company looking for support on a network engineering storage or virtualization project Is your company or internal IT team looking for someone to proactively monitor your system security or offer strategic guidance to keep your IT? Systems operating smoothly not only would we love to help consulting your project We also offer fully managed or co-managed IT service plans for businesses in need of IT administration or IT teams in need of additional support With our expert install team We can also assist you with all of your structure cabling and Wi-Fi planning projects If any of this peaks your interest fill out our hire us form at Lawrence systems comm so we can start crafting a solution that works for you If you're not interested in hiring us, but you're looking for other ways you want to support this channel There's affiliate links down below to get you deals and discounts on products and services We talk about on this channel and now back to our content now the first thing I want to do is talk about how this Network is set up for the demo here We have a remotely hosted unified app controller. It's hosted in the cloud And if you do that no problem, this will still work if it's hosted locally This will still work the prerequisite is simply that Whatever network it's on or whatever network you want to be the management VLAN Both of those networks need to have access to the controller The InformiRL has to work on either one of those the native network or the management VLAN our two networks are 172 16 16 0 slash 24 and 192 1 6 8 dot 1 dot 0 slash 24 both of these have access to this remotely hosted Unify instance and we are just using the port settings of all when we're feeding the Unify access point the reason for that is because we need the Unify access point to provide an SSID With this network and an SSID in this network over here the tagged 10 network Now one of the things that is kind of confusing for some people is doesn't the device the access point here We're going to be demoing with need to be in this 192 1 6 8 network to provide an SSID For that network and actually the answer to that is no It does not need to have an IP address in that network and the same goes for this It is currently in the 172 16 16 network But also doesn't need to have an IP address in order to provide the VLAN Native network, so the SSID will work either way We're only changing the part where this IP address gets assigned to the device for controller device So let's go over to our Unify controller and show you how you switch that which is really easy Here's our u6 l r currently at that address 16 16 62 settings Scroll down here go to services change it from LTS Tom to nsw.net which happens to be that VLAN. We're going to click apply changes It's going to reprovision that and then it's provisioning already. Well, wait a second. It'll get a new IP address All right, it has been reprovisioned and something I want to point out is that the uptime is still 27 days It doesn't actually reboot it but there is a temporary connectivity loss while you reprovision it and Connect it to the new management VLAN that you set That's all you have to do to move it to a management VLAN Now let's come back over to our diagram and talk a little bit of theory and the threats we're trying to mitigate against And the first threat is well, we'll use this little bad actor. And what if the bad actor was able to Hijack the stream hijack the dns and point us somewhere else Well, as of right now in august of 2022 That's not an issue because there is no known vulnerabilities between the unify controller and the encrypted Traffic that goes between each of the devices A threat actor could disrupt it. They could denial of service. They could hijack the dns and point it somewhere else That would cause us to lose visibility. That would cause the devices to not be managed anymore Temporarily while that was going on but not being managed and not talking to the controller doesn't stop them from working They will keep continuing to work in the last known state So you would not be able to switch any ports You wouldn't be able to change the ssid, but they will just keep working as they do This is why when there's controller updates restarting the controller or updating the software on a controller It doesn't cause any disruption to the devices that are working Now if the controller is internal the threat actor then has to move inside the network to do that same level disruption But once again, it doesn't allow them anything in terms of being able to modify the devices in a nefarious way Next problem and this is where the bigger issue is and it's too many people put everything on vlan one native There's a reason I refer to my vlan 10 as nsfw. It's where the laptops and the computers that play games are That is where the potentials for problem are And you don't want those on native vlan because if you put those devices on native vlan and then Created a special vlan for like the unify Well, anyone who has access to vlan one and that port was set to all as in carrying the other vlan traffic There is the potential for someone then to Inject packets or do something within that vlan because the all setting that is on these So for example for the threat or gets between the pf sense and the unify switch that we have Well, that would allow them to see all the traffic that's going through and on the capsulate because you remember vlands are shared Because they are sharing vlan one and every subsequent vlan underneath them They encapsulate physically on that wire all of the traffic that's on there So if you're trying to hide it from a visibility standpoint, yeah, that would still be there Now visibility is not really an issue because the encryption There's not any way to unravel the encryption that is known right now But it's still one of those things to think about so in summary It's not a bad idea to put things on a management vlan, but it's not really all that necessary It's not where your biggest security risks are the bigger security risks is someone having access to vlan one and potentially all The encapsulated vlands within that vlan so the native one is perfectly fine to leave it on there the Devices themselves the unify switches unify access points if someone were to get on that network What are the things they could directly attack the device as well? You don't have to turn on ssh That's an option. It's off by default. You don't have to turn on s and mp monitoring That's off by default, but it's a feature you can turn on and they would have Things to poke at so if there was a flaw in ssh and you have it enabled And someone's on native vlan with the devices that's a potential attack surface And if there was a flaw in the s and mp the same thing they would be able to attack those ports on there So this is good reasons just not to let anything be on vlan one Maybe other than your unified devices the last thing is port 8080 is open on these devices But I don't know any known vulnerabilities in that either for them to poke at it Or any of the services listening that have a potential exploit But of course, you know anytime something can get to something The potential there for in the future if someone finds a way in is there So just keeping everything off of vlan one and keeping maybe only your unify or hardware devices like your pf Sense on vlan one make vlan one the management and put everything subsequently might make a lot more sense for your design and architecture Leave your comments down below. Tell me why i'm right. Why i'm wrong It's always fun to have a healthy discussion about security And it is a far cry from the years ago when everything really had to be on management because the Control plane between the different devices was all, you know tell net and things like that I've also got that david bombol video linked down below talking about how vlan hopping works And how you can dive into sysco and inject packets and you know, that is a security concern Obviously, you have to really protect the ports and make sure they're all set up And now that sysco video is really good on how he does it sysco handles things different than unify So just some food for thought and further reading and stuff to think about Thanks And thank you for making it all the way to the end of this video If you've enjoyed the content, please give us a thumbs up If you would like to see more content from this channel hit the subscribe button and the bell icon If you'd like to hire a short project head over to laurance systems.com and click the hires button right at the top To help this channel out in other ways There's a join button here for youtube and a patreon page where your support is greatly appreciated For deals discounts and offers check out our affiliate links in the description of all of our videos Including a link to our shirt store where we have a wide variety of shirts that we sell and designs come out Well, randomly, so check back frequently and finally our forums forums dot laurance systems.com is where you can Have a more in-depth discussion about this video and other tech topics covered on this channel Thanks again for watching and look forward to hearing from you