VLANs is one of the best tools to easily improve your network security and management, at home or in a company. They can be used to isolate devices, setup a dedicated network to expose services or simply create an internet only network for your guests.
Here is a quick explanation of what is a VLAN and why you should use them.
What is a LAN and a VLAN ?
Let's begin with the basics. LAN is an acronym standing for Local Area Network. This is a physical network, with every devices connected to a device, a router for example, via an ethernet cable or wifi. It's generally the type of network you have at home and in small companies.
VLAN , like LAN, is a acronym for Virtual Local Area Network. This allow you to create multiple virtual networks on a physical network. With VLANs, you can regroup some devices on a single network and isolate them from everything else. It allow you to get a better control of your network and more easilly manage what is connected on your network.
Why you should use VLANs in your home network?
In a standard LAN, every devices can see each other and communicate without your approval. Broadcast traffic can be sent to everything on the network to discover every devices connected, scan exposed services without any control, and can also increase network latency. With this type of network, some device (like a smart TV) can track if your phone is connected to your WIFI and use this type of data for ad profiling (yes, they can, and it's scarry).
Here come VLANs : it allow you to segment and segregate parts of your network, only allowing traffic to go to the a specific VLAN and isolate VLANs from others. Communication between VLAN networks is only allowed with firewall rules, as by default, a VLAN can't access anything, even internet.
In our previous example, the Guest VLAN (id 40) can only use the internet connection and the IOT VLAN is completely isolated as nothing is allowed to get out of the network. Only the Trust VLAN (id 10) can access the IOT VLAN (id 20) for maintenance purpose and some integration in specialized services (Home Assistant for example) can accès both networks.
You can also setup a DMZ VLAN (id 30), where you can expose specifics ports from custom services to the internet and isolate it from the rest your network. This can be used to host a custom services, client access or anything you want, if you have the hardware available for this type of thing.
Finally, even if somebody can break into your network, maybe via an exposed service on the DMZ VLAN, they can only access devices on the network they are connected to. This can help to protect sensitive data and reduce the amount of damage somebody can do.
I need to remind you that VLANs can't protect you from attacks like virtual machine escaping, and if you host multiple virtual servers with different VLANs on a single physical server (like Proxmox for example), as they can use that to get access to the main host maybe even gain access to every VLANs on your network.
VLANs for business
VLANs are very useful in any company and every company should use them. They can help you setup a network in many different topology and enable better access control of all connected devices.
An easy setup is to isolate every divisions of your company from one another. The HR don't need to access the Developers network, but maybe the Project Manager team need to access their network and review some work in progress on a dedicated server, hosting VMs, on a dedicated VLAN. You can also isolate networks per floor, type of project or even type of access (specific VPN for a client or Guest network for visitors).
If any problem arise, VLANs will limit the impact of said problem and also facilitate the isolation of the source, if done correctly.
About the cost
The limiting factor of VLANs is compatible hardware.
If you work in a small company, you can pitch a meeting with the managers to explain to them that you need to harden the security of your network, even if you are just working in a "small company", as attacks can happen to everyone. Most professional hardware support VLANs out of the box. Larger companies must have correct VLANs set. Period.
For a home network, this can be more difficult, as VLAN supporting hardware can be costly or hard to find. Not every routers can create or support VLANs and not every switch can be managed to configure VLANs. Even so, some type of devices support only some type of VLANs but not the type you want to use : Do you need MTU VLANs, or maybe 802.1Q, or maybe only port base VLANs ? Do you want WAN VLAN or managed switch VLAN ? And what about WIFI ?
For home use, you could be to find a router supporting OpenWRT, an open source operating system built for embedded devices, which support VLANs and many more options for your network (maybe and AdBlock on the router ?). Here is a list of supported hardware with corresponding wiki pages to install and setup OpenWRT. First time install can be tedious for some hardware (as using UART, Bootp and TFTP to force the initial setup) and some are simple as upgrading a firmware, and everything will run smoothly after that.
Now, you know what to do!
Thanks @gsaitta for the proofreading.