Avoid Using VLANs for Different Security Domains
Do not use VLANs to separate networks with different security levels.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Nov 2021
✏️ Control Stack last updated
19 Mar 2026
🎯 E8 maturity levels
N/A
Guideline
Guidelines for networkingSection
Network design and configurationVLANs are not used to separate network traffic between networks belonging to different security domains.
Source: ASD Information Security Manual (ISM)
Plain language
When you set up different parts of your network for security reasons, don't rely on VLANs (Virtual Local Area Networks) to keep them apart. Using VLANs can lead to serious security risks because they aren't foolproof against attacks that could jump from one secured area to another. This matters because if one part of your network is breached, attackers could access sensitive data in other parts too.
Why it matters
Relying on VLANs to separate different security domains can allow cross-domain access if VLAN hopping or misconfiguration occurs, exposing sensitive data.
Operational notes
Ensure different security domains use physical or cryptographic separation, not VLANs. Review switch configs and routing/ACL paths to confirm no cross-domain VLAN connectivity.
Implementation tips
- The network administrator should review current network segmentation strategies. Ensure that sensitive and non-sensitive network areas are physically separated rather than relying solely on VLANs, which can be bypassed with certain attacks.
- The IT manager should conduct a risk assessment of the current VLAN usage. Include factors like potential data exposure and the impact of a breach across network segments, emphasising the need for physical or additional logical separation methods.
- IT security staff should install additional network security equipment, such as firewalls or routers, to physically separate different security domains within the network, thereby reducing reliance on VLAN separation.
- The IT team should work alongside a security consultant to design a layered network security architecture. This should include using multiple security measures, such as firewalls and network intrusion detection systems (IDS), beyond just VLANs.
- System owners should document and regularly review the network design and security policies. Update these documents to reflect changes in technology or business operations, ensuring network separations are maintained through reliable means.
Audit / evidence tips
-
Ask: the network architecture diagram: Request the most recent diagram illustrating the physical and logical separation of network segments
Good: shows multiple layers of network security, with physical separations where needed
-
Good: record specifies alternative or additional security solutions employed
-
Ask: a report on recent penetration testing or network audits: This should include results on how well VLANs are used in conjunction with other security measures
Good: report highlights segregated security zones with more robust protections
-
Good: document details how multiple security domains stayed isolated despite breach attempts, highlighting effective alternative separations
-
Good: log shows proactive steps taken to separate network domains securely
Cross-framework mappings
How ISM-0529 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 8.22 | ISM-0529 requires that VLANs are not used to separate network traffic between networks belonging to different security domains | |
| Supports (1) | ||
| Annex A 8.20 | ISM-0529 requires that VLANs are not used to separate network traffic between different security domains, pushing organisations to use st... | |