3.3.2 VLANs (Virtual LANs)
A VLAN, or Virtual LAN, is a logical subnet created through configuration of networking switches. It may be part of a larger LAN or WAN.
One benefit of VLAN is that you can get the benefits of a subnet without requiring hosts to be in physical proximity to each other, or connected to the network using the same physical technology (such as 100BaseT UTP vs. fiber). Switches and other network devices can be configured to pass data that would not normally be passed between subnets (such as broadcast packets) so that it is shared among multiple physical subnets, via a trunking protocol such as the emerging 802.1q standard, or the more secure 802.10 standard. Conversely, you can also use VLAN technology to break a single physical subnet into multiple logical subnets, reducing collisions and broadcast overhead.
An investigation into security vulnerabilities of VLANs reveals that it is not wise to assume that partitioning your network into VLANs provides the same level of protection as sub-netting it or carefully designing a routed network the directs traffic appropriately. Researchers discovered through experimentation that it is possible to get the 802.1q trunking frames to hop into a switchs non-trunk ports and be delivered to their destination, and that it is possible to get 802.1q frames to hop from one VLAN to another if the frames are sent through a switch port attached to the native LAN of the trunk port. While an attacker requires some network knowledge (such as the MAC address of the target machine, and VLAN trunk configuration data) and access (to a switch port on the same VLAN that the trunk port is assigned to) to pull this off, its often not impossible, depending on the configuration of the VLAN.330
330. Taylor, David, Are There Vulnerabilities in VLAN Implementations?, http://www.sans.org/resources/idfaq/vlan.php
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.