Look at the network in Figure 4.9. Betty needs to send data to the server Thoth. Because everyone on the network is required to monitor the network, Betty first listens for the transmissions of other
stations. If the wire is free, Betty will then transmit a frame of data. The bridge is also watching for traffic and will look at the destination address in the header of Betty’s frame. Because the bridge is unsure of which port the system with MAC address 00C08BBE0052 (Thoth) is connected to, it
amplifies the signal and retransmits it out Port B. Note that until now the bridge functionality is very similar to that of a repeater. The bridge does a little extra, however; it has learned that Betty is
attached to Port A and creates a table entry with her MAC address.
FIGURE 4.9 Betty transmits data to the server Thoth by putting Thoth’s MAC address into the destination field of the frame.
When Thoth replies to Betty’s request, as shown in Figure 4.10, the bridge will look at the destination address in the frame of data again. This time, however, it finds a match in its table, noting that Betty is also attached to Port A. Because it knows Betty can receive this information directly, it drops the frame and blocks it from being transmitted from Port B. The bridge will also make a new table entry for Thoth, recording the MAC address as being off of Port A.
FIGURE 4.10 Thoth’s reply to Betty’s message
For as long as the bridge remembers each station’s MAC address, all communications between Betty and Thoth will be isolated from Sue and Babylnor. Traffic isolation is a powerful feature, because it means that systems on both sides of the bridge can be carrying on conversations at the same time, effectively doubling the available bandwidth. The bridge insures that communications on both sides stay isolated, as if they were not even connected together. Because stations cannot see transmissions on the other side of the bridge, they assume the network is free and send their data.
Each system only needs to contend for bandwidth with systems on its own segment. This means that there is no way for a station to have a collision out-side of its segment. Thus these segments are referred to as collision domains, as shown in Figure 4.11. Notice that one port on each side of the bridge is part of each collision domain. This is because each of its ports will contend for bandwidth with the systems it is directly connected to. Because the bridge isolates traffic within each collision domain, there is no way for separated systems to collide their signals. The effect is a doubling of potential bandwidth.
FIGURE 4.11 Two separate collision domains
Previous Table of Contents Next
Previous Table of Contents Next
Also notice that splitting the network into two collision domains has increased the security of the network. For example, let’s say that the system named Babylnor becomes compromised. An attacker has gained high-level access to this system and begins capturing network activity in order to look for sensitive information.
Given the above network design, Thoth and Betty would be able to carry on a conversation with relative security. The only traffic that will find its way onto Babylnor’s collision domain is broadcast traffic. You may remember from Chapter 3 that a broadcast frame needs to be delivered to all local systems. For this reason, a bridge will also forward broadcast traffic.
By using a bridge in this situation, you get a double bonus light. You have not only increased performance, but security as well.
So what happens when traffic needs to traverse the bridge? As mentioned, when a bridge is unsure of the location of a system it will always pass the packet along just in case. Once the bridge learns that the system is in fact located off of its other port, it will continue to pass the frame along as required. If Betty begins communicating with Sue, for example, this data will cross the bridge and be
transmitted onto the same collision domain as Babylnor. This means that Babylnor is capable of capturing this data stream. While the bridge helped to secure Betty’s communications with Thoth, it provides no additional security when Betty begins communicating with Sue.
In order to secure both of these sessions, you would need a bridge capable of dedicating a single port to each system. This type of functionality is provided in a device referred to as a switch.
Switches
Switches are the marriage of hub and bridge technology. They resemble hubs in appearance, having multiple RJ45 connectors for connecting network systems. Instead of being a dumb amplifier like a hub, however, a switch functions as though it has a little miniature bridge built into each port. A switch will keep track of the MAC addresses attached to each of its ports and route traffic destined for a certain address only to the port to which it is attached.
Figure 4.12 shows a switched environment in which each device is connected to a dedicated port. The switch will learn the MAC identification of each station once a single frame transmission occurs (identical to a bridge). Assuming that this has already happened, you now find that at exactly the same instant Station 1 needs to send data to Server 1, Station 2 needs to send data to Server 2, and Station 3 needs to send data to Server 3.
FIGURE 4.12 A switch installation showing three workstations and three servers that need to communicate
There are some interesting things about this situation. The first is that each wire run involves only the switch and the station attached to it. This means that each collision domain is limited to only these two devices, because each port of the switch is acting like a bridge. The only traffic seen by the workstations and servers is any frame specifically sent to them or to the broadcast address. As a result, all three stations will see very little network traffic and will be able to transmit immediately. This is a powerful feature that goes a long way toward increasing potential bandwidth. Given our example, if this is a 10Mbps topology, the effective throughput has just increased by a factor of 3. This is because all three sets of systems can carry on their conversations simultaneously, as the switch isolates them from each other. While it is still technically 10Mbps Ethernet, potential throughput has increased to 30Mbps.
Besides increasing performance dramatically, you have also increased security. If any one of these systems becomes compromised, the only sessions that can be monitored are sessions with the compromised system. For example, if an attacker gains access to Server 2, she will not be able to monitor communication sessions with Servers 1 or 3, only Server 2.
This is because monitoring devices can only collect traffic that is transmitting within their collision domain. Since Server 2’s collision domain consists of itself and the switch port it is connected to, the switch does an effective job of isolating System 2 from the communication sessions being held with the other servers.
While this is a wonderful security feature, it does make legitimate monitoring of your network somewhat cumbersome. This is why many switches include a monitoring port.
A monitoring port is simply a port on the switch that can be configured to receive a copy of all data transmitted to one or more ports. For example, you could plug your analyzer into port 10 of the switch and configure the device to listen to all traffic on port 3. If port 3 is one of your servers, you can now analyze all traffic flowing to and from this system.
This can also be a potential security hole. If an attacker is able to gain administrative access to the switch (through Telnet, HTTP, SNMP, or the console port), she would have free rein to monitor any system connected to, or communicating through, the switch. To return to our example, if the attacker could access Server 2 and the switch itself, she is now in a perfect position to monitor all network communications.
Keep in mind that bridges, switches, and similar networking devices are designed primarily to
improve network performance, not to improve security. Increased security is just a secondary benefit. This means that they have not received the same type of abusive, real-world testing as, say, a firewall or router product. A switch can augment your security policy, but it should not be the core device to implement it.
Previous Table of Contents Next
Previous Table of Contents Next
VLAN Technology
Switching introduces a new technology referred to as the virtual local area network (VLAN). Software running on the switch allows you to set up connectivity parameters for connected systems by workgroup (referred to as VLAN groups) instead of by geographical location. The switch’s administrator is allowed to organize port transmissions logically so that connectivity is grouped according to each user’s requirements. The “virtual” part is that these VLAN groups can span over multiple physical network segments, as well as multiple switches. By assigning all switch ports that connect to PCs used by accounting personnel to the same VLAN group, you can create a virtual accounting network.
Think of VLANs as being the virtual equivalent of taking an ax to a switch with many ports in order to create multiple switches. If you have a 24-port switch and you divide the ports equally into three separate VLANs, you essentially have three 8-port switches.
“Essentially” is the key word here, as you still have one physical device. While this makes for simpler administration, from a security perspective it is not nearly as good as having three physical switches. If an attacker is able to compromise a switch using VLANs, he might be able to configure his connection to monitor any of the other VLANs on the device.
This can be an extremely bad thing if you have one large switch providing connectivity on both sides of a traffic-control device such as a firewall. An attacker may not need to penetrate your firewall—he may find the switch to be a far easier target. At the very least, the attacker now has two potential ways into the network instead of just one.
Routers
A router is a multiport device that decides how to handle the contents of a frame, based on protocol and network information. To truly understand what this means, we must first look at what a protocol is and how it works. Until now, we’ve been happily communicating using the Media Access Control address assigned to our networking devices. Our systems have used this number to contact other systems and transmit information as required.
The problem with this scheme is that it does not scale very well. For example, what if you have 2,000 systems that need to communicate with each other? You would now have 2,000 systems fighting each other for bandwidth on a single Ethernet network. Even if you employ switching, the number of broadcast frames will eventually reach a point where network performance will degrade and you cannot add any more systems. This is where protocols such as IP and IPX come in.