Security Basics mailing list archives
RE: Different terms for the same or more secure?
From: "David Gillett" <gillettdavid () fhda edu>
Date: Wed, 13 Sep 2006 15:03:46 -0700
Would the IP addressing be different between for the clients on the VLAN as opposed to the normal nodes clients?
As long as the switch is working correctly, packets don't cross from one group to another. So it's perfectly LEGAL to use the same layer 3 address blocks, and even specific addresses, on different groups. (Recall that a pure switch is a layer 2 device and doesn't care what the layer 3 payloads look like.) BUT -- if you ever want anything on one VLAN to talk to something on another VLAN, then normal layer 3 rules apply -- the groups need to be using *different* address blocks, and you need a gateway or router that connects them together, exactly as you would if these were real separate physical networks. [Definition note: A "subnet" is a layer 3 address block, specifically as it relates to its possible hierarchical inclusion in some subdivided (larger) layer 3 address block. So the preceding two paragraphs *probably* address your questions about "subnets". Assigning two devices addresses "in the same subnet" is how we *tell layer 3* that these devices are within the same layer 2 LAN, VLAN, group, or whatever -- that they can talk to each other via MAC address and/or broadcasts. To tell layer 3 that devices are in different broadcast domains, we give them addresses from different subnets and local gateway addresses to be used to reach remote subnets. Our choice of layer 3 addressing is not arbitrary and random; we are telling the various network nodes about how they are connected to each other and to nodes in other networks. We may have a choice of the specific numbers we use, but only as long as they correctly reflect those relationships.]
Would the nodes on the VLAN be more secure or have the same security as the normal nodes?
That's up to the nodes, not the networks. What you'll typically do is, at the gateway (see above), implement firewalling, access lists, or other filters, so you can limit the access that devices on one network have to devices on another. So one VLAN might have more restrictive filters between it and the Internet than another, up to and including "the gateway doesn't forward packets into/out of this VLAN". I said above "As long as the switch is working correctly, packets don't cross from one group to another." One reason that VLANs are not a reliable security mechanism is that switches may have FLAWS which could, for instance, allow packets to cross from one VLAN to another without encountering the filters at the gateway. Or it might be possible for an attacker on a "public" VLAN to compromise the management software on the switch and configure it to provide him access to a more private VLAN, or merely a view of traffic on that more private VLAN. These are things that can't happen if you really have separate physical switches instead of VLANs.
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Hylton Conacher(ZR1HPC) Sent: Wednesday, September 13, 2006 9:18 AM To: security-basics () securityfocus com Subject: Re: Different terms for the same or more secure? David Gillett wrote:NO ONE has answered the simple initial question of what is a VLAN?David, THANK YOU I hope you have investigated technical lecturing/teaching. In essence it is a group of ports (ie 4 ports of a total of 32) that have their own MAC table. Connecting those ports to a similar configured switch would create a LAN in a LAN or VLAN. Would the IP addressing be different between for the clients on the VLAN as opposed to the normal nodes clients? I would assume not, however I cannot figure out why VLANs are needed with IP subnetting? ie what is the benefit of a VLAN over a subnet? Would the nodes on the VLAN be more secure or have the same security as the normal nodes? <snip> Davids EXCELLENT reply PS: If you don't mind I think we should make this topic private as apart from the initial security question, I can feel the MODERATOR breathing down my neck :) -------------------------------------------------------------- ------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus -------------------------------------------------------------- -------------
--------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Re: Different terms for the same or more secure? Brian Loe (Sep 05)
- RE: Different terms for the same or more secure? Robert D. Holtz - Lists (Sep 05)
- <Possible follow-ups>
- RE: Different terms for the same or more secure? Dino Dogan (Sep 05)
- RE: Different terms for the same or more secure? Isaac Van Name (Sep 05)
- Re: Different terms for the same or more secure? Brian Loe (Sep 05)
- RE: Different terms for the same or more secure? Dino Dogan (Sep 05)
- Re: Different terms for the same or more secure? Hylton Conacher(ZR1HPC) (Sep 12)
- RE: Different terms for the same or more secure? David Gillett (Sep 12)
- Re: Different terms for the same or more secure? Brian Loe (Sep 13)
- Re: Different terms for the same or more secure? Hylton Conacher(ZR1HPC) (Sep 13)
- RE: Different terms for the same or more secure? David Gillett (Sep 13)
- RE: Different terms for the same or more secure? David Gillett (Sep 12)