Segmentation between user and server VLANs
Demonstrate that user workstations and server systems reside on separate VLANs with enforced routing controls preventing unauthorized direct communication between segments.
Description
What this control does
This control requires logical network isolation between user workstations (client devices) and server infrastructure through separate Virtual Local Area Networks (VLANs). VLANs enforce Layer 2 segmentation so that broadcast domains, ARP requests, and direct peer communication are restricted between user endpoints and backend servers. Organizations implement this by assigning user devices to dedicated access VLANs while placing servers in separate, restricted VLANs with inter-VLAN routing governed by firewall rules or Access Control Lists (ACLs). This architecture limits lateral movement, reduces attack surface exposure, and contains compromise by preventing direct Layer 2 adjacency between untrusted endpoints and critical assets.
Control objective
What auditing this proves
Demonstrate that user workstations and server systems reside on separate VLANs with enforced routing controls preventing unauthorized direct communication between segments.
Associated risks
Risks this control addresses
- Attackers pivoting laterally from compromised user workstations directly to servers via Layer 2 protocols such as ARP spoofing or VLAN hopping
- Unauthorized users performing network reconnaissance through broadcast traffic revealing server IP addresses, MAC addresses, and service banners
- Malware spreading horizontally across both user and server populations without network boundaries to contain propagation
- Rogue devices connecting to user-facing network ports gaining direct access to server VLAN segments due to inadequate port security or VLAN assignment policies
- Insider threats exploiting flat network topology to access server resources without authentication or logging at network perimeter enforcement points
- Denial-of-service attacks originating from user workstations directly impacting server availability through broadcast storms or resource exhaustion
- Compliance violations arising from insufficient technical controls separating general user networks from systems processing sensitive data or regulated workloads
Testing procedure
How an auditor verifies this control
- Obtain current network topology diagrams and VLAN assignment documentation identifying which VLANs are designated for user workstations and which for server infrastructure
- Export VLAN configuration from core and access layer switches showing VLAN definitions, naming conventions, and assigned ID ranges
- Review switch port configurations for a sample of user access ports to verify assignment to designated user VLANs and confirm no trunk configurations exist on end-user ports
- Review switch port configurations for server connections to verify assignment to designated server VLANs distinct from user VLANs
- Examine inter-VLAN routing configurations on Layer 3 switches or firewalls to identify which devices enforce traffic policies between user and server VLANs
- Analyze firewall rules or ACLs governing traffic between user and server VLANs to confirm deny-by-default posture with explicit allow rules for authorized services only
- Conduct packet capture or trace route testing from a sample user workstation attempting to reach server VLAN addresses to verify routing through enforcement points rather than direct Layer 2 communication
- Validate that DHCP scopes, IP address management records, and DNS zone configurations align with documented VLAN segmentation boundaries
Where this control is tested