Over a million people use Tonido Personal Cloud to access, share and sync content from anywhere without worrying about storage limits and privacy.
You can too. Tonido Blog. So what benefits do VLANs give us? Broadcast Domain Each network has its own broadcast domain. Security VLANs offer the ability to keep data packets from multiple networks separated. Dividing Critical Network Traffic Often, networks will have some sort of device or system that requires a large amount of network bandwidth. Leave a Reply Click here to cancel reply.
Name required. Mail will not be published required. Create your own Personal Cloud Over a million people use Tonido Personal Cloud to access, share and sync content from anywhere without worrying about storage limits and privacy.
Support Help Support Forum Developers. Because VLANs support a logical grouping of network devices, they reduce broadcast traffic and allow more control in implementing security policies. Also, surveillance traffic is only available to those authorized, and bandwidth is always available, when needed. This article originally appeared in the August issue of Security Today. One thing entertainment venues, sports stadiums and theme park officials want to accomplish is getting people back into their seats.
That is happening today—but not without understanding and technology. We also discuss visitor expectations and how venue officials can ensure their space is secure as they welcome visitors back.
The Truth about VLANs What security integrators need to know By Steven Olen Aug 01, A common misperception among security system integrators is the notion that an IP surveillance network must be separate and distinct from corporate or campus data, and the voice network. Nevertheless, integrators assume that having separate networks is the only way to achieve two important requirements: Security: Only authorized users physically connected to the network will have access to video surveillance traffic, and unwanted users will be kept out.
Bandwidth Availability: A dedicated network ensures bandwidth will always be reserved for the surveillance traffic, as needed. Security integrators are often not aware that these same security and bandwidth requirements can be realized on one common network by using VLAN technology.
What is a VLAN? Trunk links on the other hand are a bit more complicated. Because they carry frames from all VLANs, it's necessary to somehow identify the frames as they traverse switches.
This is called VLAN tagging. Of the two, What might come as a surprise is that a trunk link can also be configured to act as an access link when a device computer or switch that does not support VLAN trunking connects to it. This means that if you have a trunk link on a switch and connect a computer, the port will automatically provide access to a specific VLAN.
During initial network configuration, all switches are configured members of the same VTP domain. All information is then automatically sent to all members of the VTP domain. This is done by forwarding broadcasts and unknown unicast frames on a VLAN, over trunk links, only if the receiving end of the trunk has ports assigned to that VLAN. In practice, this means that if a network broadcast occurred on VLAN5 for instance, and a particular switch did not have any ports assigned to VLAN5, it would never receive the broadcast traffic through its trunk link.
This translates to a major discount in broadcast or multicast traffic received by end switches in a VLAN network. I am taking a short detour from my intent to make this book vendor-neutral because MVRP is not implemented consistently across all VLAN implementations.
Vendors, like Cisco, have their own methods of replicating information. However, the challenges included here are commonly found in many VLAN replication schemes.
VTP runs only over trunks and requires configuration on both sides. Minimally, failures to ensure all Q-switches are aware of a VLAN or its current configuration results in dropped packets and an inability to connect to required resources. Attackers or hapless users can leverage VTP, either intentionally or accidentally, to cause a widespread denial of service attack DoS. This is possible because of the way VTP propagates information.
The new configuration advertises its change sequence number. For example, the first change to the network VLAN configuration has a sequence number of 1, change 2 has a sequence number of 2 and so on. By default, when a VTP-enabled switch receives an advertisement, it compares the change sequence number to the sequence number of the last change. If the advertised number is higher than the number recorded in the switch, the switch flushes the old configuration and replaces it with the new one.
This works well until someone attaches a rogue switch with a higher sequence number. When that happens, the old configuration is flushed across all switches; the network stops working. One way to mitigate this risk is turning off VTP across all switches. This is probably the best solution for small networks, but manually managing changes across large networks is much easier with VTP enabled.
A second alternative is the VTP configuration of each switch based on its function, limiting which switches can create or distribute VLAN changes.
The options include:. You can also prevent unwanted changes by requiring authentication. None of us would ever make a mistake and load the wrong configuration. Regardless of how you configure VTP, it remains an unnecessary risk to your network. Cisco recommends turning it off; implement a documented VLAN management process, integrated into your change management activities, to ensure proper propagation of changes. VLANs segment a network and maintain isolation between segments.
The only way to enable this is via L3 routing using one of two approaches: the use of an external router or the configuration of Q-switch SVIs switch virtual interfaces. Inter-VLAN routing with a router is very simple. In our example, I would assign the router interface addresses of This works if you have spare router ports and minimal need for inter-VLAN routing.
However, it does not scale. A better approach is using what is often called a router-on-a-stick or a one-armed router. It requires a router capable of trunk port configuration with support for sub-interfaces. Figure depicts how this works.
A trunk is configured between the Q-switch and the router. The router is configured with multiple sub-interfaces, one for each of the routed VLANs. Connected devices use the relevant sub-interface address as the default gateway. The routing table is applied to packets entering the sub-interfaces.
Depending on the router, this configuration can support sub-interfaces. A new routing concept is introduced here: the router L3 ACL. This also applies to virtual L3 interfaces in Q-switches. If you want to minimize physical router use, Q-switches capable of L3 routing are a good solution.
Q-switch routing includes creating multiple SVIs, assigning them to subnets and maintaining a routing table. Again, the connected devices use the relevant SVI as their default gateway. We already looked at segmentation and the use of access control lists to protect system attack surfaces.
However, switches and the VLANs they manage each possess their own attack surface. Out-of-the-box, most Q-switches are not ready to help protect anything. The first step in securing a switch is restricting physical access. Make sure it is behind a locked door. Under no circumstances should unauthorized people gain physical access to it or any other infrastructure equipment. Under no circumstances should remote or local access be password-free. For example, configure secure shell SSH or Telnet ports for password-only access.
Further, access should conform to the roles performed by each person with management responsibilities. In many organizations, privileged access to a switch means full access. Regardless of role, each administrator can perform any management task on the device. This is never a good idea. Instead, configure the switch so that each user has a unique login and password. No more than one or two administrators should have full access.
Finally, configure password encryption. In addition to access controls, make sure accounting is properly configured and integrated into your log management processes. Accounting tracks all configuration changes by an authenticated user. Knowing who did what and when is valuable if something breaks or the network behaves in unexpected ways.
Once you take these basic steps, it is time to begin looking at secure configurations for VLANs. Most, if not all, successful attacks against VLANs are the result of poor switch configuration.
Allow only relevant VLANs to use each trunk. If you know there is no reason for a broadcast packet from VLAN 1, for example, to move over a specific trunk, block it. We also saw that table entries age and are removed to make room for more active devices.
A packet without address information in the table causes the switch to perform an ARP broadcast to determine the port through which to send the packet. If the table fills up, however, all incoming packets are sent out to all ports, regardless of VLAN assignment. This essentially turns the switch into a hub. An attacker exploits this vulnerability by continuously sending a large number of spoofed MAC addresses to the switch, filling the CAM table see Figure Programs like dsniff provide this capability.
As actual entries age, the switch replaces them with one from the continuous flow of attack packets. Once the switch begins flooding packets out of all ports, the attacker can extract data or take advantage of the opportunity and spoof one or more MAC addresses. This ARP spoofing allows the attacker to maintain some access after the flooding attack ends. Preventing MAC flooding requires performing one or more port security steps:. Once port security is enabled, a port receiving a packet with an unknown MAC address blocks the address or shuts down the port; the administrator determines what happens during port-security configuration.
The two most common VLAN hopping attack vectors are dynamic port configuration and double tagging. Q-switches often provide dynamic port configuration.
This allows a switch to either configure a port as an access port or a trunk port. An access port is any non-trunk port in a VLAN set. Superficially, this seems like a good idea. The dynamic trunking protocol DTP is designed specifically for this. If one Q-switch sends a DTP request to another Q-switch, a trunk is automatically created on the relevant port. This is great if not maliciously used.
First, a desktop or laptop is attached to a switch port. Any open port in the organization will suffice. Double tagging also uses DTP. The second switch sees the packet as belonging to VLAN 20 and sends it to all appropriate ports. The defense is to not use DTP and initially to set all switch ports to access ports on all edge switches. Figure 5 —
0コメント