How do vlans increase security




















This is perhaps one of the most important features found on advanced switches. The core switch is commonly a Layer 3 switch. Because this in one of the most important aspects of a VLAN network, the Layer 3 switch must have a fast switching fabric measured in Gbps and provide advanced capabilities such as support for routing protocols, advanced access-lists and firewall.

The Layer 3 switch can offer outstanding protection for a VLAN network but can also be a network administrator ' s worst nightmare if not properly configured. The first principle in securing a VLAN network is physical security. If an organization does not want its devices tampered with, physical access must be strictly controlled.

Core switches are usually safely located in a data center with restricted access, but edge switches are often located in exposed areas. Just as physical security guidelines require equipment to be in a controlled space, VLAN-based security requires the use of special tools and following a few best security practices to achieve the desired result. VLAN technology offers numerous enhancements to the network and provides paths to run multiple services in isolated environments without sacrificing speed, quality and network availability.

If the necessary basic security guidelines are taken into consideration during initial implementation and then during ongoing administration, a VLAN can dramatically reduce administrative overhead.

Perhaps the most serious mistake that can be made is to underestimate the importance of the data link layer and of VLANs in particular in the architecture of switched networks. It should not be forgotten that any network is only as robust as its weakest link, and therefore an equal amount of attention needs to be given to every layer to assure the soundness of the entire structure.

This article was originally written by Chris Partsenidis on behalf of fedtechmagazine. Deal with bandwidth spikes Free Download. Web Vulnerability Scanner Free Download. Devices on other VLANs will not hear these broadcasts, which reduce traffic and increase network performance. Internet traffic to another VLAN switch further upstream. This technology automatically detects network-attached, surveillance devices, such as IP cameras and NVRs, and creates a separate VLAN that separates data traffic from surveillance network traffic.

This automatic, built-in feature is a welcome change from conventional systems that typically requires each setting to be manually configured and added to the network one-by-one. There are significant benefits achieved by using VLANs in surveillance networks. Because VLANs support a logical grouping of network devices, they reduce broadcast traffic and allow more control in implementing security policies.

Also, surveillance traffic is only available to those authorized, and bandwidth is always available, when needed. This article originally appeared in the August issue of Security Today.

One thing entertainment venues, sports stadiums and theme park officials want to accomplish is getting people back into their seats. That is happening today—but not without understanding and technology. We also discuss visitor expectations and how venue officials can ensure their space is secure as they welcome visitors back. The Truth about VLANs What security integrators need to know By Steven Olen Aug 01, A common misperception among security system integrators is the notion that an IP surveillance network must be separate and distinct from corporate or campus data, and the voice network.

Nevertheless, integrators assume that having separate networks is the only way to achieve two important requirements: Security: Only authorized users physically connected to the network will have access to video surveillance traffic, and unwanted users will be kept out.

Bandwidth Availability: A dedicated network ensures bandwidth will always be reserved for the surveillance traffic, as needed. Security integrators are often not aware that these same security and bandwidth requirements can be realized on one common network by using VLAN technology. In this chapter, we step through a description of VLAN technology, how to secure it including basic switch security , and how to control packets to increase the overall strength of attack surface defense.

I use the term packet instead of frame to refer to transmission entities at both the network and the data link layers. Traditional networks resemble Figure Perimeter defenses protect the data center from external threats with little protection against internal threat agents.

Once on the wire, an attacker has free access to system attack surfaces. No system attack surface defense is perfect; eliminating unwanted access significantly reduces the risk of a system breach. In our example, the trust boundaries are located either on or external to the data center perimeter. Locally connected devices have full access to the data center network once the user authenticates. The assumption here is that perimeter controls prevent unauthorized access to system attack surfaces… a bad assumption.

Finally, the flat data center network is one large broadcast domain. Any device sending an ARP broadcast looking for an IP address in the data center will receive a reply if the address is assigned to an active server or other device.

In other words, an attacker can see all servers in the data center. This provides potential access to every system attack surface. With enough time and the right skills, it is only a matter of time before a targeted attack surface cracks. Network segmentation with virtual local area networks VLANs creates a collection of isolated networks within the data center.

Each network is a separate broadcast domain. When properly configured, VLAN segmentation severely hinders access to system attack surfaces. It reduces packet-sniffing capabilities and increases threat agent effort. Another advantage of segmentation is protocol separation. Network architects can limit certain protocols to certain segments of the enterprise. This limits traffic in each VLAN to relevant packets.

Finally, the use of VLANs enables secure, flexible user mobility. This is particularly helpful when designing wireless constraints. This requires, however, that you have something like With Otherwise, a user finding a statically configured port assigned to another VLAN can gain access simply by plugging in. We configure VLANs using layer two technology built into switches.

In addition to segmentation, VLANs also benefit from switch security capabilities. See Figure The OSI model, or standard, is the guideline for technology manufacturers who strive to build interfaces with other network technologies.

The component at L2 involved in switching is medium address control MAC. Each network interface possesses a physical, or MAC, address. The manufacturer assigns this six-byte value. IEEE Std As shown in Figure , it consists of two parts.

The first three bytes identify the manufacturer. Figure depicts how Every device connected to a network must have a MAC address. If it does not, no other device can establish a session with it. When a computer needs to communicate with another network-attached device, it sends an address resolution protocol ARP broadcast.

This assumes the IP address, for example, of both devices possesses the same network identifier. For example, if the target device and the source device both have the network address The broadcast packet travels to all devices on the same network segment asking for a response from the device with the target IP address.

An The first issue is packet delivery to all devices. This unnecessarily increases network traffic and degrades performance. The second issue is visibility. The desktop device in our example can find any connected device simply by sending one or more ARP broadcasts.

A D-switch enables maximum visibility because it cannot determine whether a requesting device is authorized to see or contact the target device. Further, all devices exist on the same network segment. Figure 5 — 4: IEEE If a device with the target IP address exists on the network, it picks up and processes the broadcast packet.

For example, when a device connected to switch port 10 sends its first packet, the switch updates the CAM table with the port and the MAC address. For example, an entry might be removed if the switch has not received packets from a device for a specified period. This is an important security consideration, as demonstrated later in this chapter.

In addition to reducing network traffic, Figure shows how a single switch might manage four collections of devices. A VLAN is a set of switch ports. In our example, the HR clerk and the HR servers are assigned to switch ports 2, 4 and 8.

Ports 2, 4 and 8 are configured as VLAN Devices connected to these ports can talk to each other, but they are logically isolated from devices connected to ports not part of the VLAN 10 set. This example demonstrates how we can separate collections of users, servers, and other devices into smaller network attack surfaces. In situations such as an externally facing security zone, we often want servers to communicate with users from other VLANs, but security is strengthened by preventing the servers from establishing sessions with each other.

We take a closer look at this in the final security zone section. Although not needed for our simple example, the rest of this chapter requires an understanding of VLAN tagging. The When a VLAN segmented network consists of only one switch, tagging is not necessary. However, things can get more complicated if multiple switches exist, or if all packets, regardless of VLAN membership, must travel over one or more aggregated paths trunks.

Figure depicts the location of the tag in an ethernet packet. The tag consists of four bytes divided into two fields. It looks simple, but it is not always compatible with existing devices. This extends the packet and creates additional information that VLAN-unaware devices cannot process.

Cannot-process equals errors and dropped packets. Most D-switches offered today can process a tagged packet even if it does not know how to process the tag. However, the vast majority of end-point devices will not. As we examine later in this chapter, tag removal is part of the packet forwarding process. Packets belong to VLANs, not devices. An administrator can use any of several approaches for VLAN configuration:. The default method specified in In our previous example Figure 6 , any packet entering through port 2, 4 or 8 is automatically assigned to VLAN While this can require significant management effort, it is a way to maintain VLAN membership for devices that frequently move; regardless of where they move or how they connect, each will always be assigned to the appropriate VLAN.

A security vulnerability with this approach is MAC address spoofing. VLANs are network segments. See Table I used the third octet. Since no routing is set up at this point, packets are forced by address to communicate only with devices on the same VLAN.

One approach particularly useful for wireless or remote devices is dynamic VLAN assignment. Once the user is authenticated, packets from his device are assigned to the appropriate VLAN based on rules set up by the administrator. For example, if a salesperson connects her laptop to an ethernet jack in a conference room, the switch requires hardware and user authentication. Because she belongs to the sales group, she is assigned to the sales VLAN. If a vendor or other non-employee connects to the same port, authentication is not possible, and the device is assigned to the guest VLAN.

This is a flexible approach and works well with role-based access control. If the salesperson in our example moves to project management, her AD account changes groups. Most end-point devices are not VLAN-aware. In other words, they are unable to process incoming tagged packets or tag a packet before sending it out to the network.

However, manufacturers like Intel provide extensions to selected NIC drivers to provide this functionality. Figure is a screenshot from my iMac running Lion. I can assign each of my interfaces to a different VLAN, if necessary. Switches or end-point devices supporting this capability can assign a packet to a VLAN based on the nature of the packet payload. For example, packets part of a streaming video application might be relegated to a specific VLAN.

This reduces traffic on VLANs handling normal business. Another benefit of application-based assignment is the ability to assign various packets from the same system to a variety of VLANs based on the applications used. This allows user authentication and authorization to determine VLAN assignments and the consequent restrictions imposed.

The advantage of having VLAN-aware end-point devices is significant. An organization can create device images for each VLAN based on user role. When an image is applied to a device, that device will connect to the appropriate VLAN no matter where or how it connects. This is done without the headaches associated with approaches like MAC address management. Many organizations have more than one switch.

Further, VLANs are not dependent on the actual location of an end-point device or switches. Refer to Figure When using two Q-switches to manage VLANs, a trunk is configured between them using a port on each switch: a trunk port.

During a broadcast, all VLAN packets entering either switch are sent via the trunk to the other switch. Figure 5 — Trunking. ACLs filter packets entering an L2 interface. An administrator can configure filtering at one of two levels: standard or extended. Standard IP, for example, simply checks the source address.



0コメント

  • 1000 / 1000