04-09-2014, 09:38 AM
NETWORK SECURITY – SECURING LAYER 2 USING VLAN
SECURITY – SECURING.doc (Size: 146 KB / Downloads: 8)
INTRODUCTION
In computer networking, a single layer-2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them via one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN or VLAN. This is usually achieved on switch or router devices. Simpler devices only support partitioning on a port level (if at all), so sharing VLANs across devices requires running dedicated cabling for each VLAN. More sophisticated devices can mark packets through tagging, so that a single interconnect (trunk) may be used to transport data for various VLANs.
Grouping hosts with a common set of requirements regardless of their physical location by VLAN can greatly simplify network design. A VLAN has the same attributes as a physical local area network (LAN), but it allows for end stations to be grouped together more easily even if they are not on the same network switch. VLAN membership can be configured through software instead of physically relocating devices or connections. Most enterprise-level networks today use the concept of virtual LANs. Without VLANs, a switch considers all interfaces on the switch to be in the same broadcast domain
WHY SECURITY TO LAYER 2
• End users connects to the Switches which are belongs to Layer 2
• So in order to control or restrict the access to the specific resources we need to implement some kind of security features at layer 2
• More over Layer 2 can’t stop forwarding broadcast packets which helps a internal hacker to poison the ARP tables easily hence he is able to grab the packets of entire network.
• So one of the best solutions is implementing VLANs in campus network
VIRTUAL LOCAL AREA NETWORK(VLAN)
A VLAN is a logical group of end devices. Broadcasts are contained within VLANs. Modern design has 1 VLAN = 1 IP subnet. Trunks connect switches so as to transport multiple VLANs. Layer 3 devices interconnect VLANs .In the above diagram, the basic VLAN technology is shown. The some uses of this VLANs is security, Address resolution protocol (ARP) poisoning attack will be secured.[ARP poisoning is nothing but hacking the data of a device by using ARP table ]
A.END-TO-END VLAN
Each VLAN is distributed geographically throughout the network. Users are grouped into each VLAN regardless of the physical location, allows easing network management. As a user moves throughout a campus, the VLAN membership for that user remains the same so that he can access the allowed resources from anywhere in the campus
B.LOCAL VLAN
Create local VLANs with physical boundaries in mind rather than job functions of the users. Traffic from a local VLAN is routed at the Routers. One to three VLANs per switch is recommended
C. PRIVATE VLAN
Service providers often have devices from multiple clients, in addition to their own servers, in a single Demilitarized Zone (DMZ) segment or VLAN. As security issues abound, it becomes more important to provide traffic isolation between devices, even though they might exist on the same Layer 3 segment and VLAN. Most Cisco IOS-based switches implement private VLANs to keep some switch ports shared and some switch ports isolated, even though all ports remain in the same VLAN. We have three variations in the private VLAN (PVLAN). They are