Security Basics mailing list archives
RE: VLANs confusing - Explained
From: "Erick Jensen" <ejensen () vibrant com>
Date: Wed, 15 Nov 2006 14:49:45 -0600
There's one last point to make. I think we all understand he meant VPN instead of VLAN, but there is a tiny bit of VLAN security. You can add a password to the VLAN, and if I remember correctly, it sends it via a hash and not cleartext over the LAN. That password really only stops new switches from adding the VLAN to the database, it doesn't encrypt traffic. It's used to stop propagating the VLAN into new or unauthorized switches connected to the LAN. Of course, I'm speaking from a Cisco perspective; maybe other vendors don't do this. Erick -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Michael Dieroff Sent: Tuesday, November 14, 2006 2:41 PM To: 'Raj Shaz'; security-basics () lists securityfocus com Subject: RE: VLANs confusing - Explained Hi Raj, To start with a few points need to be clarified: 1.) VLAN refers to Virtual LAN - This is a layer 2 protocol that adds a header to the frame that identifies the VLAN that the client MAC address or more commonly switchport belongs to. 2.) VLAN's are not there for encryption - they provide logical and broadcast segmentation on a switch. 3.) The open standard for VLAN's is 802.1q - if you are using Cisco devices then you have the option to 'tag' your vlan with the likes of a Cisco protocol called ISL (Inter Switch link) 4.) This means that VLAN's provide security domains in the form of broadcast and subnet segmentation not privacy and integrity of network communications. 5.) VPN's however do provide encryption services. VPN services are typically provided in 2 formats: L2TP/ IPSEC and SSL (I know PPTP - GRE tunnelling is out there, but let's talk about the serious protocols here) These VPN protocols make use of the likes of several encryption and hashing protocols that include DES, 3DES, AES for symmetric encryption and MD-5 and SHA-1 for hashing algorithms and integrity. Are you referring to VPN's or VLAN's and I can elaborate a little more. Mike. Regards, Michael Dieroff ------------------------------------------------------------------------ --- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- RE: VLANs confusing - Explained Erick Jensen (Nov 15)
- RE: VLANs confusing - Explained Michael Dieroff (Nov 16)
- <Possible follow-ups>
- RE: VLANs confusing - Explained Erick Jensen (Nov 16)