RE: VLANs confusing - Explained

["Erick Jensen" <ejensen () vibrant com>]

There's one last point to make.  I think we all understand he meant VPN
instead of VLAN, but there is a tiny bit of VLAN security.  

You can add a password to the VLAN, and if I remember correctly, it
sends it via a hash and not cleartext over the LAN.  That password
really only stops new switches from adding the VLAN to the database, it
doesn't encrypt traffic.  It's used to stop propagating the VLAN into
new or unauthorized switches connected to the LAN.  Of course, I'm
speaking from a Cisco perspective; maybe other vendors don't do this.

Erick

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Michael Dieroff
Sent: Tuesday, November 14, 2006 2:41 PM
To: 'Raj Shaz'; security-basics () lists securityfocus com
Subject: RE: VLANs confusing - Explained

Hi Raj,

To start with a few points need to be clarified:

1.) VLAN refers to Virtual LAN - This is a layer 2 protocol that adds a
header to the frame that identifies the VLAN that the client MAC address
or
more commonly switchport belongs to.
2.) VLAN's are not there for encryption - they provide logical and
broadcast
segmentation on a switch.
3.) The open standard for VLAN's is 802.1q - if you are using Cisco
devices
then you have the option to 'tag' your vlan with the likes of a Cisco
protocol called ISL (Inter Switch link)
4.) This means that VLAN's provide security domains in the form of
broadcast
and subnet segmentation not privacy and integrity of network
communications.
5.) VPN's however do provide encryption services. VPN services are
typically
provided in 2 formats: L2TP/ IPSEC and SSL (I know PPTP - GRE tunnelling
is
out there, but let's talk about the serious protocols here)

These VPN protocols make use of the likes of several encryption and
hashing
protocols that include DES, 3DES, AES for symmetric encryption and MD-5
and
SHA-1 for hashing algorithms and integrity.

Are you referring to VPN's or VLAN's and I can elaborate a little more.

Mike.



Regards,

Michael Dieroff


------------------------------------------------------------------------
---
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic
Excellence 
in Information Security. Our program offers unparalleled Infosec
management 
education and the case study affords you unmatched consulting
experience. 
Using interactive e-Learning technology, you can earn this esteemed
degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------