RE: Different terms for the same or more secure?

["David Gillett" <gillettdavid () fhda edu>]

> Would the IP addressing be different between for the clients 
> on the VLAN as opposed to the normal nodes clients?

  As long as the switch is working correctly, packets don't 
cross from one group to another.  So it's perfectly LEGAL to 
use the same layer 3 address blocks, and even specific addresses,
on different groups.  (Recall that a pure switch is a layer 2
device and doesn't care what the layer 3 payloads look like.)

  BUT -- if you ever want anything on one VLAN to talk to 
something on another VLAN, then normal layer 3 rules apply --
the groups need to be using *different* address blocks, and
you need a gateway or router that connects them together,
exactly as you would if these were real separate physical 
networks.

  [Definition note:  A "subnet" is a layer 3 address block,
specifically as it relates to its possible hierarchical 
inclusion in some subdivided (larger) layer 3 address block.
So the preceding two paragraphs *probably* address your questions 
about "subnets".
  Assigning two devices addresses "in the same subnet" is how we
*tell layer 3* that these devices are within the same layer 2 LAN,
VLAN, group, or whatever -- that they can talk to each other
via MAC address and/or broadcasts.  To tell layer 3 that devices 
are in different broadcast domains, we give them addresses from
different subnets and local gateway addresses to be used to reach
remote subnets.
  Our choice of layer 3 addressing is not arbitrary and random;
we are telling the various network nodes about how they are connected
to each other and to nodes in other networks.  We may have a choice
of the specific numbers we use, but only as long as they correctly 
reflect those relationships.]

> Would the nodes on the VLAN be more secure or have the same 
> security as the normal nodes?

  That's up to the nodes, not the networks.
  What you'll typically do is, at the gateway (see above),
implement firewalling, access lists, or other filters, so
you can limit the access that devices on one network have to
devices on another.
  So one VLAN might have more restrictive filters between it
and the Internet than another, up to and including "the gateway
doesn't forward packets into/out of this VLAN".

  I said above
  "As long as the switch is working correctly, packets don't 
cross from one group to another."
  One reason that VLANs are not a reliable security mechanism is 
that switches may have FLAWS which could, for instance, allow packets
to cross from one VLAN to another without encountering the
filters at the gateway.  Or it might be possible for an attacker
on a "public" VLAN to compromise the management software on the 
switch and configure it to provide him access to a more private
VLAN, or merely a view of traffic on that more private VLAN.
  These are things that can't happen if you really have separate
physical switches instead of VLANs.

> -----Original Message-----
> From: listbounce () securityfocus com 
> [mailto:listbounce () securityfocus com] On Behalf Of Hylton 
> Conacher(ZR1HPC)
> Sent: Wednesday, September 13, 2006 9:18 AM
> To: security-basics () securityfocus com
> Subject: Re: Different terms for the same or more secure?
>
> David Gillett wrote:
> > > NO ONE has answered the simple initial question of what is a VLAN?
> David, THANK YOU I hope you have investigated technical 
> lecturing/teaching.
>
> In essence it is a group of ports (ie 4 ports of a total of  
> 32) that have their own MAC table. Connecting those ports to 
> a similar configured switch would create a LAN in a LAN or VLAN.
>
> Would the IP addressing be different between for the clients 
> on the VLAN as opposed to the normal nodes clients? I would 
> assume not, however I cannot figure out why VLANs are needed 
> with IP subnetting? ie what is the benefit of a VLAN over a subnet?
>
> Would the nodes on the VLAN be more secure or have the same 
> security as the normal nodes?
>
> <snip> Davids EXCELLENT reply
>
> PS: If you don't mind I think we should make this topic 
> private as apart from the initial security question, I can 
> feel the MODERATOR breathing down my neck :)
>
>
>
> --------------------------------------------------------------
> -------------
> This list is sponsored by: Norwich University
>
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE 
> The NSA has designated Norwich University a center of 
> Academic Excellence in Information Security. Our program 
> offers unparalleled Infosec management education and the case 
> study affords you unmatched consulting experience. 
> Using interactive e-Learning technology, you can earn this 
> esteemed degree, without disrupting your career or home life.
>
> http://www.msia.norwich.edu/secfocus
> --------------------------------------------------------------
> -------------


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------