You are on page 1of 10

This article describes the concept of the VLAN.

VLANs are commonly used to speed up networks and reduce congestion. Overview Virtual LAN; a logical, not physical, group of devices, defined by software. VLANs allow network administrators to resegment their networks without physically rearranging the devices or network connections. A VLAN (Virtual LAN) is a network composed of logical broadcast domains. For example, let us say you have a two story building, with 3 different departments on each floor. Each department [on both floors] must communicate together directly. They also produce a large amount local traffic. What is the best solution for this situation? A Virtual LAN (VLAN) is the best way to reduce overall network traffic spawning from each department. Normally, connecting these users would be challenging because these users would lie on 2 different switches, and possibly different subnets or gateways creating network latency. Specifying VLAN rules in both switches logically groups each department together. See the image below:

This diagram gives you the basic idea of VLAN membership. You can see how the floors of the building are seperate and that each department is represted by a different color. The switches lie below and the trunk link is represented by the lightning bolt. Types of Membership There are several different types of memberships associated with VLANs:

Static VLANs Dynamic VLANs

Static VLANs are specified by switch port. For example, let us say a 12 port fast ethernet switch is split for the creation of 2 VLANs. The first 6 ports are associated with VLAN1 and the last 6 ports are associated with VLAN2. If a machine is moved from port 3 to port 11, it will effectively change VLANs. Dynamic VLANs are specified by MAC address. Assuming the same scenario, a system administrator will enter MAC addresses for all machines connecting to the switch. These addresses will be stored in a memory chip inside the switch that forms a database of local MAC addresses. Each MAC address can then be associated with a certain VLAN. This way, if a machine is moved, it will retain the original VLAN membership reguardless of it's port number. VLAN Tagging Moving VLAN data over multiple subnets and routers requires a special process called VLAN tagging. The act of VLAN tagging simply adds extra information in the packet header of ethernet frames so routers know how to pass along the data. This method is commonly used in large networks, or with VLANs that span across wide geographic areas. VLAN Enabled Switches Not all switches support VLANs. While most expensive switches do, you won't get "the works" unless your using a Cisco Catalyst. Cisco has created proprietary protocols to manage VLANs. VLAN Trunking Protocol (VTP) enables Cisco switches to advertise VLAN routes to other VTP enabled switches. It also allows a system administrator to manage all VLANs from a central point and order all switches to update the VLAN information along the entire network. 3com Superstack switches also have great VLAN support. However, there have been some compatibility issues associated with mutlivendor VLAN devices. Most orgainizations using VLANs have figured out it is worth shelling out the extra cash to go with Cisco equipment and get the extra features and fuctionality. http://www.puredata.com/manual/backboneswiches/appendix/glossary.html http://www.answers.com/main/ntquery;jsessionid=6f827uhquthfr?tname=virtuallan&method=6&sbid=lc04b virtual LAN Also called a "VLAN," it is a logical subgroup within a local area network that is created via software rather than manually moving cables in the wiring closet. It combines user stations and network devices into a single unit regardless of the physical LAN segment they are attached to and allows traffic to flow more efficiently within populations of mutual interest.

VLANs are implemented in port switching hubs and LAN switches and generally offer proprietary solutions. VLANs reduce the time it takes to implement moves, adds and changes. VLANs function at layer 2. Since their purpose is to isolate traffic within the VLAN, in order to bridge from one VLAN to another, a router is required. The router works at the higher layer 3 network protocol, which requires that network layer segments are identified and coordinated with the VLANs. This is a complicated job, and VLANs tend to break down as networks expand and more routers are encountered. The industry is working towards "virtual routing" solutions, which allows the network manager to view the entire network as a single routed entity. See 802.1q.

The VLAN Virtual LANs solve the problem of containing traffic within workgroups that are geographically dispersed. They allow moves, adds and changes to be performed via software at a console rather than manually changing cables in the wiring closet.
3D Digital Models

Find ethernet models in Max, Maya, XSI, more www.turbosquid.com


Virtual Network

Small Business Teleworking, VPN & Remote Access News and Resources www.NetworkWorld.com

Wikipedia

Virtual LAN A virtual LAN, commonly known as a vLAN or as a VLAN, is a logically-independent network. Several VLANs can co-exist on a single physical switch. A vLAN consists of a network of computers that behave as if connected to the same wire - even though they may actually physically connect to different segments of a LAN. Network administrators configure VLANs through software rather than hardware, which makes them extremely flexible. One of the biggest advantages of VLANs emerges when physically moving a computer to another location: it can stay on the same VLAN without the need for any hardware reconfiguration. The IEEE 802.1Q tagging protocol dominates the VLAN world. Prior to the introduction of 802.1Q several proprietary protocols existed, such as Cisco's ISL (Inter-Switch Link, a variant of IEEE 802.10) and 3Com VLT (Virtual LAN Trunk). Some users now deprecate ISL in favor of 802.1Q. Early network designers often configured VLANs with the aim of reducing the size of the collision domain in a large single Ethernet segment and thus of improving performance. When Ethernet switches made this a non-issue (because they have no collision domain), attention turned to reducing the size of the broadcast domain at the MAC layer. Virtual networks can also serve to restrict access to network resources without regard to physical topology of the network, although the strength of this method remains debatable. Virtual LANs operate at layer 2 (the data link layer) of the OSI model. However, administrators often configure a VLAN to map directly to an IP network, or subnet, which gives the appearance of involving layer 3 (the network layer). In the context of VLANs, the term 'trunk' denotes a network link carrying multiple VLANs which are identified by labels ('tags') inserted into their packets. Such trunks must run between 'tagged ports' of VLAN-aware devices, so are often switch-to-switch or switch-to-router links rather than links to hosts. (Confusingly, the term 'trunk' also gets used for what Cisco call 'channels': Link Aggregation or Port Trunking). A router (Layer 3 switch) serves as the backbone for network traffic going across different VLANs. On Cisco devices, VTP (VLAN Trunking Protocol) allows for VLAN domains, which can aid in administrative tasks. VTP also allows "pruning", which involves directing specific VLAN traffic only to switches which have ports on the target VLAN.

Types and varieties


Network administrators can configure VLANs in various ways:

at the protocol level, using IP, IPX, LAT, etc based in MAC addresses based on IP subnet

based on ports

Designers can set up static, dynamic, or port-centric vLANs. Two methods of establishing a VLAN exist: frame-tagging and frame-filtering: 1. Frame-tagging changes the information contained within the layer-2 frame, so that switches may forward the VLAN traffic to its correct VLAN destination and return the frame to its normal format 2. Frame-filtering involves the switch looking for certain criteria in the layer-2 frame and using this matching system to forward the traffic to its correct VLAN and destination. A Layer-2 device can implement VLANs in different ways:

Open VLANs have a single MAC address database for all VLANs Closed VLANs have a separate MAC address database for each VLAN Mixed-Mode VLANs can involve configuring Open or Closed VLANs on a perVLAN basis

Computer security specialists generally consider closed VLANs more secure than Open VLANs.

External links

IEEE's 802.1Q standard Cisco's Overview of Routing between Virtual LANs Cisco's Bridging Between IEEE 802.1Q VLANs white paper University of California's VLAN Information

Virtual Private Networks


Introduction | VPN Classifications | How to Secure Data in VPN | VPNs Secure Protocol IPSec Technologies | Details of IPSec | IPSec Packets

Introduction As companies become more decentralized, they find themselves with employees all over the country and around the world. Increasingly, these workers need the same access to corporate information as those still at headquarters. This presents a challenge for network managers - how to beef up the information flow while keeping WAN costs in check. Some users are finding they can meet both goals through Internet-based virtual private networks, or VPNs.

Basically, Virtual private networks maintain privacy through the use of a tunneling protocol and security procedures. It typically uses the Internet as the transport backbone to establish secure links with business partners, extend communications to regional and isolated offices, and significantly decrease the cost of communications for an increasingly mobile workforce because the Internet has become so ubiquitous, virtually everybody can plug into it, potentially reducing the need for banks of remote-access servers and modems, or for users to dial longdistance into such facilities. And because the Internet is always there, you can often use it in place of dedicated lines. All of this can mean fairly substantial savings over traditional leased-line connections or frame relay permanent virtual circuits. Users can expect to save hundreds of dollars a month on dedicated Internet access connections when compared to dedicated private lines from a long-distance service provider. The main element of the VPN concept lays at the gateways between the private networks and the public network. Be it software oriented, hardware oriented or a combination of the two -this intermediate device acts on behalf of the private network that it protects. When one of the local hosts sends data to another host in a remote network, the data must first pass from the private network through the protecting gateway device, travel through the public network, and then pass through the gateway device that is protecting the host in the remote network at the receiving end. VPN safeguards the data by automatically encrypting it (thus, making it incomprehensible to a third party) before it is sent from one private network to another, encapsulating it into an IP packet, and then automatically decrypting the data at the receiving end. The gateway device can also double as a Firewall for the local network, denying harmful or malicious data access to the network, and managing the outgoing data to the public network (whether it is encrypted or not).

VPN Classifications: Despite the large (and rapidly expanding) number of VPN products, all fall into three broad categories: hardware-based systems, firewall-based VPNs and standalone VPN application packages (software-based) system. Hardware-based VPN systems are encrypting routers. They are secure and easy to use, since they provide the nearest thing to "plug and play" encryption equipment available. They provide the highest network throughput of all VPN systems, since they don't waste processor overhead in running an operating system or other applications. However, they may not be as flexible as software-based systems. The best hardware VPN packages offer software-only clients for remote installation, and incorporate some of the access control features more traditionally managed by firewalls or other perimeter security devices.

Firewall-based VPNs take advantage of the firewall's security mechanisms, including restricting access to the internal network. They also perform address translation; satisfy requirements for strong authentication; and serve up real-time alarms and extensive logging. Most commercial firewalls also "harden" the host operating system kernel by stripping out dangerous or unnecessary services, providing additional security for the VPN server. OS protection is a major plus, since very few VPN application vendors supply guidance on OS security. Performance may be a concern, especially if the firewall is already loaded -- however, some firewall vendors offer hardware-based encryption processors to minimize the impact of VPN management on the system. Software-based VPNs are ideal in situations where both endpoints of the VPN are not controlled by the same organization (typical for client support requirements or business partnerships), or when different firewalls and routers are implemented within the same organization. At the moment, standalone VPNs offer the most flexibility in how network traffic is managed. Many software-based products allow traffic to be tunneled based on address or protocol, unlike hardware-based products, which generally tunnel all traffic they handle, regardless of protocol. Tunneling specific traffic types is advantageous in situations where remote sites may see a mix of traffic --some that needs transport over a VPN (such as entries to a database at headquarters) and some that doesn't (such as Web surfing). In situations where performance requirements are modest (such as users connecting over dial-up links), software-based VPNs may be the best choice. But software-based systems are generally harder to manage than encrypting routers. They require familiarity with the host operating system, the application itself, and appropriate security mechanisms. And some software VPN packages require changes to routing tables and network addressing schemes.

How to Secure Data in VPN 1. Certification - The certification is usually twofold and includes an electronic token and a PIN (Personal Identification Number). In this manner, the user must have something in his possession and something he memorizes. This drastically reduces the probability of someone impersonating a user because he needs both elements to access the system. Encryption - Once in the VPN, each gateway device sends its public key to all of his peers in the VPN. With the use of the public and private keys the data is encrypted in such a way that it's mathematically impossible to decode without knowledge of the keys. Once the encryption key is selected and implemented, it is necessary to ensure that the keys are protected through a key management system. Key management is the process of distributing the keys, refreshing them at specific intervals and revoking them when necessary. A balance has to be made between the key exchange intervals and the amount of data that is exchanged. An interval that is too short overburdens the VPN servers with key generation. On the other hand, a key exchange interval that is too long compromises the key and the data it encrypts.

2.

VPNs Secure Protocol: IPSec is a suite of protocols that integrate security into the Internet Protocol (IP), and provide data source authentication, data integrity, confidentiality, and protection against replay attacks. IPSec is an evolving standard for secure private communications over the Internet. Normal IPv4 packets consist of headers and payload, both of which contain information of value to an attacker. The header contains source and destination IP addresses, which are required for routing but may be spoofed or altered in what are known as "man-in-the-middle" attacks; the payload consists of information which may be confidential to a particular organization. IPSec provides mechanisms to protect both header and payload data. The IPSec Authentication Header (AH) digitally signs the outbound packet, both data payload and headers, with a hash value appended to the packet, verifying the identity of the source and destination machines and the integrity of the payload. The IPSec Encapsulating Security Payload (ESP) guarantees the integrity and confidentiality of the data in the original message by combining a secure hash and encryption of either the original payload by itself, or the headers and payload of the original packet.

IPSec Technologies

IPSec combines several different security technologies into a complete system to provide confidentiality, integrity, and authenticity. In particular, IPSec uses: Diffie-Hellman key exchange for deriving key material between peers on a public network Public key cryptography for signing the Diffie-Hellman exchanges to guarantee the identity of the two parties and avoid man-in-the-middle attacks Bulk encryption algorithms, such as DES, for encrypting the data Keyed hash algorithms, such as HMAC, combined with traditional hash algorithms such as MD5 or SHA for providing packet authentication. Digital certificates signed by a certificate authority to act as digital ID cards.

Details of IPSec IPSec combines the aforementioned security technologies into a complete system that provides confidentiality, integrity, and authenticity of IP datagrams. IPSec actually refers to several related protocols as defined in the new RFC 2401-2411 and 2451 (the original IPSec RFCs 1825-1829 are now obsolete). These standards include: IP Security Protocol proper, which defines the information to add to an IP packet to enable confidentiality, integrity, and authenticity controls as well as defining how to encrypt the packet data. Internet Key Exchange, which negotiates the security association between two entities and exchanges key material. It is not necessary to use IKE, but manually configuring security associations is a difficult and manually intensive process. IKE should be used in most real-world applications to enable large-scale secure communications.

IPSec Packets IPSec defines a new set of headers to be added to IP datagrams. These new headers are placed after the IP header and before the Layer 4 protocol (typically Transmission Control Protocol [TCP] or User Datagram Protocol [UDP]). These new headers provide information for securing the payload of the IP packet as follows: Authentication header (AH)-This header, when added to an IP datagram, ensures the integrity and authenticity of the data, including the invariant fields in the outer IP header. It does not provide confidentiality protection. AH uses a keyed-hash function rather than digital signatures, because digital signature technology is too slow and would greatly reduce network throughput. Encapsulating security payload (ESP)-This header, when added to an IP datagram, protects the confidentiality, integrity, and authenticity of the data. If ESP is used to validate data integrity, it does not include the invariant fields in the IP header. AH and ESP can be used independently or together, although for most applications just one of them is sufficient. For both of these protocols, IPSec does not define the specific security algorithms to use, but rather, provides an open framework for implementing industry-standard algorithms. Initially, most implementations of IPSec will support MD5 from RSA Data Security or the Secure Hash Algorithm (SHA) as defined by the U.S. government for integrity and authentication. The Data Encryption Standard (DES) is currently the most commonly offered bulk encryption algorithm, although RFCs are available that define how to use many other encryption systems, including IDEA, Blowfish, and RC4. IPSec provides two modes of operations like transport and tunnel mode. In transport mode, only the IP payload is encrypted, and the original IP headers are left intact. This mode has the advantage of adding only a few bytes to each packet. It also allows devices on the public network to see the final source and destination of the packet. This capability allows you to enable special processing (for example, quality of service) in the intermediate network based on the information in the IP header. However, the Layer 4 header will be encrypted, limiting the examination of the packet. Unfortunately, by passing the IP header in the clear, transport mode allows an attacker to perform some traffic analysis. In tunnel mode, the entire original IP datagram is encrypted, and it becomes the payload in a new IP packet. This mode allows a network device, such as a router, to act as an IPSec proxy. That is, the router performs encryption on behalf of the hosts. The source's router encrypts packets and forwards them along the IPSec tunnel. The destination's router decrypts the original IP datagram and forwards it on to the destination system. The major advantage of tunnel mode is that the end systems do not need to be modified to enjoy the benefits of IP Security. Tunnel mode also protects against traffic analysis. With tunnel mode, an attacker can only determine the tunnel endpoints and not the true

source and destination of the tunneled packets, even if they are the same as the tunnel endpoints.

You might also like