Skip to content
Control Stack logo Control Stack
ISM-1532 ASD Information Security Manual (ISM)

Avoid Using VLANs for Network Separation

Do not use VLANs to separate internal networks from the public internet.

Preventative Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET ASD Information Security ManualGovernanceNetwork securityFirewalls

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

Feb 2022

✏️ Control Stack last updated

22 Feb 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for networking

Section

Network design and configuration

Topic

Using Virtual Local Area Networks
Official control statement
VLANs are not used to separate network traffic between an organisation's networks and public network infrastructure.

Source: ASD Information Security Manual (ISM)

Plain language

This control advises against using VLANs, or Virtual Local Area Networks, to separate your organisation’s internal networks from the internet. If you rely on VLANs alone for this separation, you could be putting your data at risk, as VLANs can be vulnerable to attacks that allow intruders to bypass these barriers.

Why it matters

Relying on VLANs for network separation exposes sensitive data to potential breaches by attackers exploiting VLAN hopping techniques.

Operational notes

Ensure separation from public infrastructure uses physical links or encrypted tunnels, not VLANs; review switch trunking and ACLs to prevent VLAN hopping.

Implementation tips

  • Network Administrators should reevaluate current network configurations to ensure that VLANs are not the primary method for separating internal networks from the public internet. They can achieve this by using separate physical networks or firewalls instead.
  • IT Managers should work to establish a policy that clearly prohibits the use of VLANs for isolating internal networks from the internet. This policy should outline acceptable methods for network separation, such as firewalls or dedicated routers.
  • Security Officers should organise training for IT staff to help them understand the limitations of VLANs for network separation and educate them on more secure alternatives. This training could be done through workshops or e-learning modules focused on network security best practices.
  • IT Teams should inspect all connection points between internal and public networks to ensure that secure methods like firewalls are in place instead of relying on VLANs. This can involve conducting regular audits of network configurations and ensuring compliance with the established network separation policy.
  • System Engineers should implement and regularly update firewall rules to ensure they are effectively separating internal networks from the public internet. This involves defining rules that control which data is allowed to pass and regularly reviewing these rules to address emerging threats.

Audit / evidence tips

  • Ask: the current network topology diagram: Request a detailed diagram showing how internal networks are separated from the public internet

    Good: will show firewalls or physical separation methods clearly noted

  • Ask: the network security policy document: Request the written policy that details how the organisation separates internal networks from the internet. Look to see if the policy mentions firewalls or other secure methods instead of VLANs

    Good: policy will explicitly prohibit VLAN use for this purpose

  • Ask: training records: Request documentation of recent training sessions on network security for IT staff

    Good: includes session agendas, dates, and participant lists

  • Ask: a firewall configuration snapshot: Request a current configuration export from the firewall in use

    Good: configuration will have specific rules reducing unnecessary exposure to the internet

  • Ask: recent network audit reports: Request reports from any network audits conducted in the past year. Look to see if they assessed VLAN use and recommended changes

    Good: report will identify VLAN issues and document corrective actions taken

Cross-framework mappings

How ISM-1532 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control Notes Details
Partially meets (2)
Annex A 8.20 ISM-1532 requires organisations to avoid using VLANs as the separation mechanism between internal networks and public network infrastruct...
Annex A 8.22 ISM-1532 requires that VLANs are not used to separate traffic between an organisation’s networks and public network infrastructure

Mapping detail

Mapping

Direction

Controls