Security Basics mailing list archives
Re: Different terms for the same or more secure?
From: "Hylton Conacher(ZR1HPC)" <hylton () conacher co za>
Date: Thu, 24 Aug 2006 17:48:30 +0200
David Gillett wrote:
-----Original Message-----From: Hylton Conacher(ZR1HPC) [mailto:hylton () conacher co za] Sent: Monday, August 21, 2006 3:38 AMTo: Security basics Subject: Different terms for the same or more secure? Hi all,Seen a bit of traffic about vlans and as a junior networking person, I am wondering if they could be equal to physical subnets in the TCP/IP protocol.What further confuses me is that I read on Google that vlans can also have subnets.Could someone define each for me and the list and also why one is more secure than the other.Tnx HyltonOne definition of "subnet" is that it is a contiguous block of host addresses. One typically uses such a block of addresses ona LAN, whether it's physical or virtual.
Physical meaning actually there and virtual meaning there but no physically? >
It's possible to havehosts on a LAN using addresses from multiple blocks, but you generally want to avoid it if possible -- it can lead to twodevices being able to see each other's traffic, but not actually communicate, unless you do some extra work.
>
Provided all the hosts are on the sme subnet ie 192.168.0.x as opposed to 192.168.1.x ?In a "physical subnet", all of the ports on every switch (and bridge and hub) uses addresses in the same block and uses the same MAC address tables, and so the hosts can all see each other.
> > In a VLAN, switch ports are grouped according to which MAC address
tables they use;..Similar to an IP being divided into subnets ie one for accounting, another for sales etc? How are the node MAC addresses grouped? I would assume by their subnet, which is exactly what a subnet does. A subnet groups similar nodes together so that they can communicate easily with one another and the switches do not need to liaise with those subnet nodes re other services on other subnets. So what does a VLAN do that a subnet doesn't and why is one better than the other?
>
OK. You're starting to get fuzzy as there must be ethernet interference :) Let me get the basics right and solid then I'll explore the other features...in order to permit routing between VLANs, it iscustomary to assign each a different address block. VLANs are especially useful with another switch feature, "trunking", which allows a single physical link to carry traffic tagged for multiple destination VLANs.
With the physical approach, all ports on every switch/hub/whatever are part of the same LAN; if you need two (or ten) different LANs inan area, you need to deploy that many devices (at least...). With VLANs, you deploy a small number of devices with high port density, and map each port to the VLAN it belongs on.
How is the mapping done ie what decides which VLAN a node belongs to?
OK so a physical subnetted network is 'safer'/'more secure' than a VLAN network.There are basically two avenues of vulnerability to VLANs that are not shared with purely physical LANs:1. A compromise of a switch could allow a user to see traffic beyond their authorization.2. A bug in switch software could allow private traffic to become visible at less-private ports.Neither of these risks is actually huge in any reasonable environment, but unless you can mitigate them down to zero by some other means, a physical LAN will always be just that little bit more secure than a VLAN.
I'm still not getting the difference between a virtual and a physical LAN. Can anyone give me an example of say a company with two branches in different locations with each branch have its own sales and accounts department. I would subnet my IP such:
Office A 192.168.0.x Office B 192.168.1.x The departments of each office would have IP's from their respective subnet. Sales A 192.168.0.1 Sales B 192.168.1.1 Accounts A 192.168.0.2 Accounts B 192.168.1.2 Make sense? tnx for the help --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Different terms for the same or more secure? Hylton Conacher(ZR1HPC) (Aug 22)
- Re: Different terms for the same or more secure? maddhatt+securitybasics (Aug 25)
- <Possible follow-ups>
- Re: Different terms for the same or more secure? eliterhythm (Aug 24)
- Re: Different terms for the same or more secure? Hylton Conacher(ZR1HPC) (Aug 28)
- RE: Different terms for the same or more secure? Anhtuan Huynh (Aug 25)
- RE: Different terms for the same or more secure? David Gillett (Aug 28)
- RE: Different terms for the same or more secure? Robert D. Holtz - Lists (Aug 28)
- RE: Different terms for the same or more secure? David Gillett (Aug 28)
- Re: Different terms for the same or more secure? Hylton Conacher(ZR1HPC) (Aug 25)
- RE: Different terms for the same or more secure? David Gillett (Aug 28)
- Re: Different terms for the same or more secure? Hylton Conacher(ZR1HPC) (Aug 28)
- RE: Different terms for the same or more secure? David Gillett (Aug 29)
- RE: Different terms for the same or more secure? David Gillett (Aug 28)
- Re: Different terms for the same or more secure? Brian Loe (Aug 28)
- Message not available
- Re: Different terms for the same or more secure? Brian Loe (Aug 31)
- RE: Different terms for the same or more secure? Isaac Van Name (Aug 31)