Like what you see? Get it in one document for easy printing!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Test yourself better with 300 extra Security+ questions!
Get It Here!

Custom Search







Table Of Contents  CertiGuide to Security+
 9  Chapter 3:  Infrastructure Security (Domain 3.0; 20%)
      9  3.3  Security Topologies

Previous Topic/Section
3.3.1.3  Extranet
Previous Page
Pages in Current Topic/Section
1
Next Page
3.3.3  NAT (Network Address Translation)
Next Topic/Section

3.3.2  VLANs (Virtual LANs)

A VLAN, or Virtual LAN, is a logical subnet created through configuration of networking switches. It may be part of a larger LAN or WAN.

One benefit of VLAN is that you can get the benefits of a subnet without requiring hosts to be in physical proximity to each other, or connected to the network using the same physical technology (such as 100BaseT UTP vs. fiber). Switches and other network devices can be configured to pass data that would not normally be passed between subnets (such as broadcast packets) so that it is shared among multiple physical subnets, via a trunking protocol such as the emerging 802.1q standard, or the more secure 802.10 standard. Conversely, you can also use VLAN technology to break a single physical subnet into multiple logical subnets, reducing collisions and broadcast overhead.

VLAN

A VLAN (virtual LAN) is a logical subnet created by configuring network switches. It provides the benefits of a subnet without requiring the devices on the VLAN be located near each other or connecting using the same physical technology..


An investigation into security vulnerabilities of VLANs reveals that it is not wise to assume that partitioning your network into VLANs provides the same level of protection as sub-netting it or carefully designing a routed network the directs traffic appropriately. Researchers discovered through experimentation that it is possible to get the 802.1q trunking frames to hop into a switch’s non-trunk ports and be delivered to their destination, and that it is possible to get 802.1q frames to hop from one VLAN to another if the frames are sent through a switch port attached to the native LAN of the trunk port. While an attacker requires some network knowledge (such as the MAC address of the target machine, and VLAN trunk configuration data) and access (to a switch port on the same VLAN that the trunk port is assigned to) to pull this off, it’s often not impossible, depending on the configuration of the VLAN.330

VLAN is Good, not Perfect

A VLAN does NOT provide the same level of security as a true subnet that is created by putting a network segment on its own router port..



 __________________

330. Taylor, David, “Are There Vulnerabilities in VLAN Implementations?”, http://www.sans.org/resources/idfaq/vlan.php

Previous Topic/Section
3.3.1.3  Extranet
Previous Page
Pages in Current Topic/Section
1
Next Page
3.3.3  NAT (Network Address Translation)
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $



Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.