Mitigating VLAN Attacks
Mitigating VLAN Attacks
A VLAN is a logical broadcast domain that can span multiple physical LAN segments. Within the switched inter-network, VLANs provide segmentation
and organizational flexibility. You can design a VLAN structure that lets you group together
stations that are segmented logically by functions, project teams, and applications
without regard to the physical location of the users. You can assign each switch port to
only one VLAN, thereby adding a layer of security. Ports in a VLAN share broadcasts;
ports in different VLANs do not share broadcasts. Containing broadcasts within a VLAN
improves the overall performance of the network.
Read More
Add your Comment
Basic Switch Operation and security
Unlike hubs, switches can regulate the flow of data between their ports by creating “instant”
networks that contain only the two end devices communicating with each other at
that moment in time. When end systems send data frames, their source and destination
addresses are not changed throughout the switched domain. Switches maintain contentaddressable
memory (CAM) lookup tables to track the source MAC addresses located on
the switch ports. These lookup tables are populated by an address-learning process on the
switch. If the destination MAC address of a frame is not known, or if the frame received
by the switch is destined for a broadcast or multicast MAC address, the switch forwards
the frame to all ports. Because of their capability to isolate traffic and create instant networks,
you can use switches to divide a physical network into multiple logical segments,
or VLANs, using Layer 2 traffic segmenting.
Layer 2 is the data link layer in the OSI model and is one of seven layers designed to work
together but with autonomy. Layer 2 operates above the physical layer, but below the network
and transport layers, as shown below
Layer 2 independence enables interoperability and interconnectivity. However, from a security
perspective, Layer 2 independence creates a challenge because a compromise at
one layer is not always known by the other layers. If the initial attack comes in at Layer 2,
the rest of the network can be compromised in an instant. Network security is only as
strong as the weakest link—and that link might be the data link layer.
Read More
Add your Comment
Mitigating Layer 2 Attacks
Like routers, both Layer 2 and Layer 3 switches have their own set of network security requirements.
Access to switches is a convenient entry point for attackers who are intent on
illegally gaining access to a corporate network. With access to a switch, an attacker can
set up rogue access points and protocol analyzers, and launch all types of attacks from
within the network. Attackers can even spoof the MAC and IP addresses of critical
servers to do a great deal of damage.
Read More
Add your Comment
