|VLAN Security - Making the Most of VLANs|
|Written by Administrator|
|Wednesday, 08 June 2011 01:22|
Take a look under the hood of this powerful networking tool so that your agency can reap the benefits of bandwidth, availability and security.
It's easy to see why virtual LANs have become extremely popular on networks of all sizes. In practical terms, multiple VLANs are pretty much the same as having multiple separate physical networks within a single organization — without the headache of managing multiple cable plants and switches.
Because VLANs segment a network, creating multiple broadcast domains, they effectively allow traffic from the broadcast domains to remain isolated while increasing the network's bandwidth, availability and security.
Most managed switches are VLAN-capable, but this doesn't mean that they all perform the job equally well. The market has been flooded by thousands of switches that seem to do the job, but special consideration must be taken before making a purchase.
A switch in a VLAN-enabled network needs to do a lot more than just switch packets between its ports.
Core backbone switches undertake the hefty task of managing the network's VLANs to ensure everything runs smoothly. The tasks of these switches include prioritizing network packets based on their source and destination (essentially Q uality of S ervice), ensuring all edge switches are aware of the VLANs configured in the network, continuously monitoring for possible network loops on every VLAN, switching packets between VLANs as required and ensuring network security according to their configuration .
Edge switches, also known as access switches, are dedicated to the end devices: user workstations , network peripherals and sometimes servers (most IT administrators rightly prefer to connect servers directly to the core- backbone switches). The edge switches must be compatible with the VLAN features that the core backbone switches support, otherwise unavoidable problems will arise because of incompatibilities among the switch devices.
This is one reason many organizations standardize when it comes to network equipment from companies that include Cisco Systems, HP and Juniper Networks.
When deploying VLANs, here are five key considerations to address:
1. Links on VLAN Switches
VLAN switches have two main types of links: access links and trunk links.
Access Links are the most common type of links on any VLAN capable switch. All network hosts connect to the switch's Access Links to gain access to the local network. These links are the ordinary ports found on every switch, but configured to access a particular VLAN.
Trunk Links are the links that connect two VLAN capable switches together. While an Access Link is configured to access a specific VLAN, a Trunk Link is almost always configured to carry data from all available VLANs.
2. Native VLAN, ISL and 802.1q
When a port on a switch is configured as an access link (http://www.firewall.cx/networking-topics/vlan-networks/218-vlan-access-trunk-links.html) , it has access to one specific VLAN. Any network device connecting to it will become part of that VLAN.
Ethernet frames entering or exiting the port are standard Ethernet II type frames (http://www.firewall.cx/networking-topics/ethernet/ethernet-frame-formats/201-ethernet-ii.html) , which are understood by the network device connected to the port. Because these frames belong only to one network, they are said to be “untagged” — meaning that they do not contain any information as to which VLAN they are assigned.
Trunk links on the other hand are a bit more complicated. Because they carry frames from all VLANs, it's necessary to somehow identify the frames as they traverse switches. This is called VLAN tagging.
Two methods known for this job are ISL (Inter-Switch Link, a proprietary Cisco protocol) and IEEE 802.1q. Of the two, 802.1q is the most popular VLAN tagging method and is compatible among all vendors supporting VLAN trunking.
What might come as a surprise is that a trunk link can also be configured to act as an access link when a device (computer or switch) that does not support VLAN trunking connects to it. This means that if you have a trunk link on a switch and connect a computer, the port will automatically provide access to a specific VLAN. The VLAN in this case is known as the “native VLAN,” a common term that refers to the VLAN a trunk port is configured for when acting as an access link.
3.Virtual Trunk Protocol and VTP Pruning
VTP is Cisco proprietary protocol that ensures all VLAN information held by the VTP Server, usually the core switch, is propagated to all network switches within the VTP domain.
During initial network configuration, all switches are configured members of the same VTP domain. With the use of VTP, an IT administrator can create, delete or rename VLANs on the core switch. All information is then automatically sent to all members of the VTP domain. The VTP equivalent for other vendors, such as HP and Juniper, is the Garp VLAN Registration Protocol (GVRP), which has been fine-tuned in the recent years and includes many features implemented previously only in Cisco's VTP Protocol .
VTP pruning (http://www.firewall.cx/networking-topics/vlan-networks/virtual-trunk-protocol.html), an extension to VTP's functionality, ensures that unnecessary network traffic is not sent over trunk links. This is done by forwarding broadcasts and unknown unicast frames on a VLAN, over trunk links, only if the receiving end of the trunk has ports assigned to that VLAN.
In practice, this means that if a network broadcast occurred on VLAN5 for instance, and a particular switch did not have any ports assigned to VLAN5, it would never receive the broadcast traffic through its trunk link. This translates to a major discount in broadcast or multicast traffic received by end switches in a VLAN network.
4. Inter-VLAN Routing
Inter-VLAN routing, as the term implies, is all about routing packets between VLANs. This is perhaps one of the most important features found on advanced switches. Because inter-VLAN routing (http://www.firewall.cx/networking-topics/vlan-networks/222-intervlan-routing.html) directs packets based on their Layer 3 information (the IP address), switches that perform this function are known as Layer 3 switches and, of course, are the most expensive. The core switch is commonly a Layer 3 switch. In cases where a Layer 3 switch is not available, this function can also be performed by a server with two or more network cards or a router, a method often referred to as “router on a stick.”
Because this in one of the most important aspects of a VLAN network, the Layer 3 switch must have a fast switching fabric (measured in Gbps) and provide advanced capabilities such as support for routing protocols, advanced access-lists and firewall . The Layer 3 switch can offer outstanding protection for a VLAN network but can also be a network administrator ' s worst nightmare if not properly configured.
5. Securing VLAN Devices
Even though many administrators and IT managers are aware of VLAN technologies and concepts, that doesn't necessarily hold true when it comes to VLAN security.
The first principle in securing a VLAN network is physical security. If an organization does not want its devices tampered with, physical access must be strictly controlled. Core switches are usually safely located in a data center with restricted access, but edge switches are often located in exposed areas.
Just as physical security guidelines require equipment to be in a controlled space, VLAN-based security requires the use of special tools and following a few best security practices to achieve the desired result.
These best practices include:
• removing console-port cables and introducing password-protected console or virtual terminal access with specified timeouts and restricted access policies;
• applying the same commands to the virtual terminal (telnet/Secure Shell) section and creating an access-list to restrict telnet/SHH access from specific networks and hosts;
• avoiding use of using VLAN1 (the default VLAN) as the network data VLAN ;
• disabling high-risk protocols on any port that doesn't require them (e.g CDP, DTP, PAgP, UDLD);
• deploying VTP domain, VTP pruning and password protections;
• controlling inter-VLAN routing through the use of IP access lists.
For hands-on details about each of these practices, go to fedtechmagazine.com/0211VLANsec .
Raising the Throttle
VLAN technology offers numerous enhancements to the network and provides paths to run multiple services in isolated environments without sacrificing speed, quality and network availability. If the necessary basic security guidelines are taken into consideration during initial implementation and then during ongoing administration, a VLAN can dramatically reduce administrative overhead.
Perhaps the most serious mistake that can be made is to underestimate the importance of the data link layer and of VLANs in particular in the architecture of switched networks.
It should not be forgotten that any network is only as robust as its weakest link, and therefore an equal amount of attention needs to be given to every layer to assure the soundness of the entire structure.
About the Article
This article was originally written by Chris Partsenidis on behalf of fedtechmagazine.com. This article is also available for download in pdf format here: VLAN Security - Making the Most of VLANs
|Last Updated on Monday, 22 October 2012 21:27|