The Leaky VLANs myth?
A closer questioning of this reasoning exposes the myth that these people believe VLANs leak. My perception is that the root of this myth is a poor analysis done yonks ago and published on SANS, Intrusion Detection FAQ: Are there Vulnerabilities in VLAN Implementations? VLAN Security Test Report. This dated reports states as a recommendation: "Try not to use VLANs as a mechanism for enforcing security policy. They are great for segmenting networks, reducing broadcasts and collisions and so forth, but not as a security tool." This report is used as the basis of many flawed recommendations, see this thread. VLANs are a security tool but they are not an exclusive security tool!
VLANs are not an alternative to a firewall. Duh! VLANs are not an alternative to a router either. Duh! Firewalls (or routers) are not an alternative to VLANs. Duh! But not using VLANs, period, is short sighted and flawed. Not using VLANs is a larger risk than actually using them! Without using VLANS, it is not possible to implement a reasonably secure network design. Security is in the design and configuration, not the components! VLANs don't leak and I challenge any security bunnies out there, to provide documented proof of a successful exploit!