Download Reed - Virtual Local Area Networks in Security

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
Document related concepts

Wireless security wikipedia , lookup

Mobile security wikipedia , lookup

Deep packet inspection wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Distributed firewall wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Transcript 
Virtual Local Area
Networks in Security
COSC 356 – Network Security
Mark Reed
December 4th, 2008
Introduction
A Local Area Network (LAN) is defined as a single broadcast domain of
computers that are physically located near each other. A single broadcast domain is a
domain in which that if a user on the LAN sends a request that it will be received by
each node on the same LAN. Routers on a network will stop broadcasts and switches
just forward them. Virtual Local Area Networks are used to logically segment a LAN
into different broadcast domains. VLAN’s are logical groupings and not physical ones,
so the nodes on a VLAN do not have to be physically located near each other. VLAN’s
also allow broadcast domains to be created by using switches instead of using routers.
VLAN’s are created by putting some switch ports in a VLAN other than VLAN 1, which is
the default VLAN. All ports that are added to a single VLAN are in a single broadcast
domain. Since switches can communicate between each other, some ports on switch A
in VLAN 10 and other ports on switch B can be in VLAN 10. Broadcasts sent between
devices in VLAN 10 will only be sent to other devices that are also in VLAN 10.
Why Use VLAN’s
VLAN’s can be used on a network to help reduce the amount of traffic and
broadcasts that are being sent across a network. Not every network should use VLAN’s
if they aren’t necessary to improve network performance or network security. You
should consider using VLAN’s if you have more than 200 devices on your LAN, you
have a lot of broadcast traffic on your LAN, groups of users need more security, groups
of users need access to more bandwidth or need access to the same applications, or if
you just need to make a single switch into multiple virtual switches.
There are many reasons why VLAN’s should be used over traditional LAN’s
when setting up a large enterprise network. Using VLAN’s will increase the
performance of the network and enable network traffic to communicate more efficiently.
By setting up a VLAN you can reduce the need to send broadcasts and multicasts to all
users on the network and to only the user’s who need to receive the traffic. This will
reduce the amount of network traffic which will increase the performance of the network.
The use of VLANS on a network can also be used to reduce the amount of routers used
on the network which will reduce the load on the routers and increase the performance
of the routers and the network itself. VLANs also give the network administrator the
ability to form virtual workgroups for departments, divisions or groups throughout an
enterprise. It is common for different departments or groups to work together in
organizations on certain projects that may last only a small amount of time. In order to
reduce the amount of multicast and broadcast packets being sent over the network
these users can be added to a VLAN which will decrease network traffic and allow these
users to work more efficiently. VLAN’s can also be used to improve the performance of
applications that certain users of an organization use. For example, if there is an
application that several users in a certain department use that requires a lot of network
traffic then the users could be added into a VLAN to help reduce network traffic and
increase the performance of the application.
A majority of network costs are a result of adding, removing and changing users
on the network. VLAN’s can be used to reduce these costs and the amount of work
necessary to complete these tasks. VLAN’s help reduce network costs by eliminating
the need to purchase expensive routers to create separate broadcast domains. Once
VLAN’s are implemented in a network it will help simplify network administration in the
future. If a user is in a VLAN and they need to be moved to another location in the
organization you will only need to make sure that the switch port they are using or the
MAC address of the workstation is added into the necessary VLAN.
VLAN’s provide additional security not available in a shared network
environment. A switched network environment delivers frames only to the intended
recipients and broadcast frames only to other members of the VLAN. VLAN’s also allow
network administrators to group users that require access to sensitive information into
separate VLAN’s from the rest of the other network users regardless of their physical
location. Monitoring a port with a traffic analyzer will only view the traffic associated
with that particular port which also helps increase the security on the network.
How VLAN’s Work
When a switch receives data from a workstation on the network it tags the data
with a VLAN identifier which indicates which VLAN the data came from. This type of
tagging is called explicit tagging. It is also possible to determine which VLAN data
belongs to by using implicit tagging. Implicit tagging determines which VLAN the data
came from by the port the data came from, the source MAC address, the source
network address, or a combination of these fields. In order for the switch to perform
tagging of data using any of the methods it needs to keep a database containing
mappings for VLAN’s and other switches on the network. In order for the network to
operate properly each switch will need to contain the same database. VLAN’s also use
a technique called tagging to help distinguish frames sent over the network. Tagging is
used to indicate which VLAN a frame belongs to so the switch will forward the frame to
only the ports that belong to that specific VLAN. Tagging adds specific information
about a frame to the header of each frame. The following information is added to the
header: user priority information, source routing control information and the source MAC
address.
When a switch receives data it determines which VLAN the data belongs to by
either using implicit or explicit tagging as described above. Membership information for
each VLAN is stored in a filtering database which consists of two types of entries. The
two types of entries are static entries and dynamic entries. When using static entries,
the information is added, modified and deleted manually by a network administrator.
Therefore, entries will not be automatically removed after they are inactive; they will
need to be removed manually by the network administrator. There are also two types of
static entries, Static Filtering Entries and Static Registration Entries. Static Filtering
Entries specify for each port whether the frames that are sent to a specific MAC address
or group address on a specific VLAN should be forwarded or discarded. Static
Registration Entries specify whether frames sent to a specific VLAN are to be tagged or
untagged and determines which ports are registered for that specific VLAN so that data
can be forwarded or discarded.
Dynamic database entries are automatically generated by the switch and cannot
be created or updated by the network administrator. The VLAN database is updated by
observing each port by looking at the frame, source address and the VLAN ID (VID).
The entry will be dynamically updated if the port allows learning, the source address is a
workstation and if there is space available in the database. Entries can be dynamically
removed from the database if the entry is unused for a specified amount of time. There
are three types of dynamic database entries. Dynamic Filtering Entries specify whether
frames sent to a specific MAC address on a specific VLAN should be forwarded or
discarded. Group Registration Entries indicate for each port whether frames sent to a
group of MAC addresses should be forwarded or discarded. Dynamic Registration
Entries specify which ports are registered to a specific VLAN.
There are several types of VLAN’s which differ by the way they classify
membership. The membership classifications can be by port, MAC address, type of
protocol that is being used, or by the subnet address. In a Layer 1 VLAN the
membership can be defined based on the ports that belong to the VLAN. The main
disadvantage to Layer 1 membership is that it requires reconfiguration if a user moves
to a different port on the switch or to another switch. In a Layer 2 VLAN the
membership is defined by the MAC address of the workstation. The biggest advantage
to using Layer 2 VLAN membership is the ability to move a workstation without
reconfiguring the switches. When a workstation is moved to another location it will still
remain in the same VLAN since the switch tracks the workstation by its MAC address
instead of the port it is physically connected to. In a Layer 3 VLAN the membership is
based on the subnet of the IP address of the workstation. When using Layer 3
membership a workstation can be moved without reconfiguring the network addresses
but it generally takes longer to forward packets using this information than it does by
MAC address. There are also several others ways that VLAN membership can be
implemented, which include by application, service or any combination of these.
To create VLAN’s on your network you will need a switch that supports creating
Virtual Local Area Networks. To setup VLAN’s on your network all you need to do is
create a new VLAN on the switch and then assign each port to the desired VLAN. For
example, if you create VLAN 10 and assign ports 2 and 3 to it and create VLAN 20 and
assign ports 4 and 5 to it you will have created two VLAN’s. Now that you have created
the two VLAN’s, ports 2 and 3 will be able to communicate and ports 4 and 5 will be
able to communicate with each other. Information will not be shared between either of
the VLAN’s without a router or further configuration of the switch.
Summary
A VLAN is a broadcast domain that is created by switches. VLAN’s simplify network
administration and can help reduce the cost of network administration. VLAN’s allow
the formation of virtual workgroups, better security, improved performance, simplified
network administration and reduced network costs. VLAN’s are formed by logical
segmentations of a network and can be classified into different Layers. Tagging and the
filtering database allow a switch to determine the source and destination VLAN for
received data. If VLAN’s are implemented correctly they can show great performance
and security improvement on a Local Area Network.
Works Cited
Hucaby, David, and Stephen Mcquerry. "VLANs and Trunking." Cisco Systems, Inc Cisco Press. 30 Nov. 2008 <www.ciscopress.com/articles/article.asp?p=29803>.
Petri, Daniel . "What is a VLAN?." Welcome to Petri.co.il by Daniel Petri. 30 Nov. 2008
<http://www.petri.co.il/csc_setup_a_vlan_on_a_cisco_switch.htm>.
"VLAN Information." Network 21 - UC Davis. 30 Nov. 2008
<http://net21.ucdavis.edu/newvlan.htm>.
Varadarajan, Suba. "Virtual Local Area Networks." Department of Computer Science &
Engineering - Washington University. 14 Aug. 1997. 30 Nov. 2008
<http://www.cs.wustl.edu/~jain/cis788-97/ftp/virtual_lans/index.htm>.
"Virtual LAN - Wikipedia." Wikipedia, the free encyclopedia. 30 Nov. 2008
<http://en.wikipedia.org/wiki/VLAN>.
"What is a VLAN?." The Tech FAQ. 30 Nov. 2008 <http://www.techfaq.com/vlan.shtml>.
Related documents
Securing Network
Securing Network
Document 8758227
Document 8758227
Chapter07
Chapter07
The Virtual Local Area Network (VLAN) Technology
The Virtual Local Area Network (VLAN) Technology
[2016-NEW!] 200-120 New Questions and Answers -
[2016-NEW!] 200-120 New Questions and Answers -
Packet Tracer Scenario
Packet Tracer Scenario
Q and A for Ch. 17
Q and A for Ch. 17
lecture-02-wed-layer2
lecture-02-wed-layer2
docx 152851_networking
docx 152851_networking
Base Designs Lab Setup for Validated Reference Design
Base Designs Lab Setup for Validated Reference Design
S5720-SI Switch Data Sheet
S5720-SI Switch Data Sheet
Modern World History Online
Modern World History Online
switches h3c s3600v2
switches h3c s3600v2
Installing Template Theme Files
Installing Template Theme Files
10/100/1000 and Gig-E Testing SmartClass™ Ethernet
10/100/1000 and Gig-E Testing SmartClass™ Ethernet
ENG653Report-494308
ENG653Report-494308
Chapter 1: Protocols and Layers
Chapter 1: Protocols and Layers