Reed - Virtual Local Area Networks In Security

Download Report

Transcript Reed - Virtual Local Area Networks In Security

Virtual Local Area
Networks In Security
By Mark Reed
Topics
• Definition of LAN and VLAN
• Advantages of using VLANs
• When to consider using VLANs
• Why we use VLANs
• How VLANs work
• Types of VLANs
• Increase network security with VLANs
LAN - Definition
Local Area Network (LAN) – is a single broadcast
domain of computers and network devices that are
physically located near each other. A single
broadcast domain is a domain in which that if a user
on the LAN sends a request that it will be received by
each node on the same LAN.
VLAN - Definition
Virtual Local Area Network (VLAN) – is a group of
hosts with a common set of requirements that
communicate as if they were attached to the
broadcast domain, regardless of their physical
location.
What are the advantages of a VLAN?
• Have the same attributes as a physical LAN
• Allows for workstations to be grouped
together even if they are not located on the
same network switch
• Network reconfiguration can be done through
software instead of physically relocating
devices
When should you consider using VLAN’s?
• If you have more than 200 devices on your network
• If your network has a lot of broadcast traffic that may
be affecting network performance
• If groups of users need more network security
because of sensitive information
• If groups of users need a lot of bandwidth or access
to the same applications
• If you need to make a single switch into multiple
virtual switches
Why use VLAN’s?
• Increase network performance
• Allows network administrators to form virtual
workgroups for departments or divisions
• Simplify network administration
• Reduce network costs
• Increase network security
How Do VLAN’s Work?
• Explicit Tagging – When a switch receives data
it tags the data with a VLAN identifier
indicating the VLAN from which the data came
• Implicit Tagging – the VLAN from which the
data came is determined based on
information like the port on which the data
arrived
Type Of VLAN’s
• Tagging can be based on the port from which
it came, the source Media Access Control
(MAC) field, the source network address, or
some other field or combination of fields
• VLAN’s are classified based on the method of
tagging that is used
• Switches hold a filtering database which stores
this information
Layer 1 – Membership By Port
• Can be defined based on the ports that belong
to the VLAN
• Main disadvantage of this method is that it
does not allow for user mobility
• If a user moves to a different location, the
network administrator must reconfigure the
VLAN for that user
Layer 2 – Membership By Address
• Is based on the MAC address of the
workstation or the source of the data
• No reconfiguration is needed if the
workstation is moved since the MAC address
is part of the network interface card
• Membership tables will not need to be change
Layer 3 – Membership By IP Subnet Address
• Is based on the header of the frame or data
that is being sent
• Workstations can be moved without
reconfiguring the network address
• Takes longer to forward Layer 3 information
than it does using the MAC address
Frame Processing
• When a switch receives data it determines
which VLAN the data belongs to either by
implicit or explicit tagging
• The switch also keeps track of VLAN members
in a filtering database which it uses to
determine where the data is to be sent
Filtering Database
• Membership information for a VLAN is stored
in a filtering database
• The filtering database consists of two types of
entries – Static Entries and Dynamic Entries
Static Database Entries
• Static information is added, modified and
deleted by a network administrator
• There are two types of static database entries
1. Static Filtering Entries – specify for every port
whether frames should be forwarded or
discarded
2. Static Registration Entries – specify which
ports are registered for a specific VLAN
Dynamic Database Entries
• Dynamics entries are learned by the switch
and cannot be created or updated manually
• Learning process observes the port from
which a frame with a given source address
and VLAN ID is received and updates the
database accordingly
• The entry is updated only if the port allows
learning, the source is a workstation and if
there is space available in the database
Dynamic Database Entries Contd.
• There are three types of dynamic entries
1. Dynamic Filtering Entries – specify whether frames
that are to be sent to a specific MAC and on a
certain VLAN should be forwarded or discarded
2. Group Registration Entries – specify whether frames
that are to be sent to a group MAC address on a
certain VLAN should be forwarded or discarded
3. Dynamic Registration Entries – specify which ports
are registered for a specific VLAN
VLAN’s Increase Security
• VLAN’s provide additional security not available in a shared
network environment
• A switched network environment delivers frames only to the
intended recipients and broadcast frames only to other
members of the VLAN
• Allows network administrators to segment users that require
access to sensitive information into separate VLAN’s from the
rest of the general user community regardless of physical
location
• Monitoring a port with a traffic analyzer will only view the
traffic associated with that particular port
Summary
• VLAN’s allow the formation of virtual workgroups,
better security, improved performance, simplified
administration and reduced network costs.
• VLAN’s are formed by logical segmentation of a
network and can be classified into Layers.
• Tagging and the filtering database allow a switch to
determine the source and destination VLAN for
received data.