Re: Different terms for the same or more secure?

["Hylton Conacher(ZR1HPC)" <hylton () conacher co za>]

David Gillett wrote:
> > -----Original Message-----
> > From: Hylton Conacher(ZR1HPC) [mailto:hylton () conacher co za] 
> > Sent: Monday, August 21, 2006 3:38 AM
> > To: Security basics
> > Subject: Different terms for the same or more secure?
> >
> > Hi all,
> >
> > Seen a bit of traffic about vlans and as a junior networking 
> > person, I am wondering if they could be equal to physical 
> > subnets in the TCP/IP protocol.
> >
> > What further confuses me is that I read on Google that vlans 
> > can also have subnets.
> >
> > Could someone define each for me and the list and also why 
> > one is more secure than the other.
> >
> > Tnx
> > Hylton
>
>
>   One definition of "subnet" is that it is a contiguous block of 
> host addresses.  One typically uses such a block of addresses on
> a LAN, whether it's physical or virtual.
Physical meaning actually there and virtual meaning there but no physically?

>
> It's possible to have
> hosts on a LAN using addresses from multiple blocks, but you 
> generally want to avoid it if possible -- it can lead to two
> devices being able to see each other's traffic, but not actually
> communicate, unless you do some extra work.
>
> In a "physical subnet", all of the ports on every switch (and
> bridge and hub) uses addresses in the same block and uses the
> same MAC address tables, and so the hosts can all see each other.
Provided all the hosts are on the sme subnet ie 192.168.0.x as opposed 
to 192.168.1.x ?
>
> In a VLAN, switch ports are grouped according to which MAC address
> tables they use;.. 
Similar to  an IP being divided into subnets ie one for accounting, 
another for sales etc? How are the node MAC addresses grouped? I would 
assume by their subnet, which is exactly what a subnet does. A subnet 
groups similar nodes together so that they can  communicate easily with 
one another and the switches do not need to liaise with those subnet 
nodes re other services on other subnets. So what does a VLAN do that a 
subnet doesn't and why is one better than the other?
>
> ..in order to permit routing between VLANs, it is
> customary to assign each a different address block.  VLANs are 
> especially useful with another switch feature, "trunking", which
> allows a single physical link to carry traffic tagged for multiple 
> destination VLANs.  
OK. You're starting to get fuzzy as there must be ethernet interference 
:) Let me get the basics right and solid then I'll explore the other 
features.
>   With the physical approach, all ports on every switch/hub/whatever 
> are part of the same LAN; if you need two (or ten) different LANs in
> an area, you need to deploy that many devices (at least...).  With
> VLANs, you deploy a small number of devices with high port density,
> and map each port to the VLAN it belongs on.
How is the mapping done ie what decides which VLAN a node belongs to?
>   There are basically two avenues of vulnerability to VLANs that are 
> not shared with purely physical LANs:
>
> 1.  A compromise of a switch could allow a user to see traffic beyond 
> their authorization.
>
> 2.  A bug in switch software could allow private traffic to become 
> visible at less-private ports.
>
>   Neither of these risks is actually huge in any reasonable environment,
> but unless you can mitigate them down to zero by some other means, a
> physical LAN will always be just that little bit more secure than a
> VLAN.
OK so a physical subnetted network is 'safer'/'more secure' than a VLAN 
network.

I'm still not getting the difference between a virtual and a physical 
LAN. Can anyone give me an example of say a company with two branches in 
different locations with each branch have its own sales and accounts 
department. I would subnet my IP such:
Office A 192.168.0.x
Office B 192.168.1.x
The departments of each office would have IP's from their respective subnet.
Sales A 192.168.0.1
Sales B 192.168.1.1
Accounts A 192.168.0.2
Accounts B 192.168.1.2

Make sense?
tnx for the help


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------