Look at the network in Figure 4.9. Betty needs to send data to the server Thoth. Because everyone on the network is required to monitor the network, Betty first listens for the transmissions of other stations. If the wire is free, Betty will then transmit a frame of data. The bridge is also watching for traffic and will look at the destination address in the header of Betty’s frame. Because the bridge is unsure of which port the system with MAC address 00C08BBE0052 (Thoth) is connected to, it amplifies the signal and retransmits it out Port B. Note that until now the bridge functionality is very similar to that of a repeater. The bridge does a little extra, however; it has learned that Betty is attached to Port A and creates a table entry with her MAC address.
Figure 4.9: Betty transmits data to the server Thoth by putting Thoth’s MAC address into the destination field of the frame.
When Thoth replies to Betty’s request, as shown in Figure 4.10, the bridge will look at the destination address in the frame of data again. This time, however, it finds a match in its table, noting that Betty is also attached to Port A. Because it knows Betty can receive this information directly, it drops the frame and blocks it from being transmitted from Port B. The bridge will also make a new table entry for Thoth, recording the MAC address as being off of Port A.
Figure 4.10: Thoth’s reply to Betty’s message
together. Because stations cannot see transmissions on the other side of the bridge, they assume the network is free and send their data.
Each system only needs to contend for bandwidth with systems on its own segment. This means that there is no way for a station to have a collision outside of its segment. Thus these segments are referred to as collision domains, as shown in Figure 4.11. Notice that one port on each side of the bridge is part of each collision domain. This is because each of its ports will contend for bandwidth with the systems it is directly connected to. Because the bridge isolates traffic within each collision domain, there is no way for separated systems to collide their signals. The effect is a doubling of potential bandwidth.
Figure 4.11: Two separate collision domains
Also notice that splitting the network into two collision domains has increased the security of the network. For example, let’s say that the system named Babylnor becomes compromised. An attacker has gained high-level access to this system and begins capturing network activity in order to look for sensitive information.
Given the above network design, Thoth and Betty would be able to carry on a conversation with relative security. The only traffic that will find its way onto Babylnor’s collision domain is broadcast traffic. You may remember from Chapter 3 that a broadcast frame needs to be delivered to all local systems. For this reason, a bridge will also forward broadcast traffic.
By using a bridge in this situation, you get a double bonus light. You have not only increased performance, but security as well.
So what happens when traffic needs to traverse the bridge? As mentioned, when a bridge is unsure of the location of a system it will always pass the packet along just in case. Once the bridge learns that the system is in fact located off of its other port, it will continue to pass the frame along as required.
If Betty begins communicating with Sue, for example, this data will cross the bridge and be transmitted onto the same collision domain as Babylnor. This means that Babylnor is capable of capturing this data stream. While the bridge helped to secure Betty’s communications with Thoth, it provides no additional security when Betty begins communicating with Sue.
In order to secure both of these sessions, you would need a bridge capable of dedicating a single port to each system. This type of functionality is provided in a device referred to as a switch.
Switches
Switches are the marriage of hub and bridge technology. They resemble hubs in appearance, having multiple RJ45 connectors for connecting network systems. Instead of being a dumb amplifier like a hub, however, a switch functions as though it has a little miniature bridge built into each port. A switch will keep track of the MAC addresses attached to each of its ports and route traffic destined for a certain address only to the port to which it is attached.
Figure 4.12 shows a switched environment in which each device is connected to a dedicated port. The switch will learn the MAC identification of each station once a single frame transmission occurs (identical to a bridge).
Assuming that this has already happened, you now find that at exactly the same instant Station 1 needs to send data to Server 1, Station 2 needs to send data to Server 2, and Station 3 needs to send data to Server 3.
Figure 4.12: A switch installation showing three workstations and three servers that need to communicate There are some interesting things about this situation. The first is that each wire run involves only the switch and the station attached to it. This means that each collision domain is limited to only these two devices, because each port of the switch is acting like a bridge. The only traffic seen by the workstations and servers is any frame specifically sent to them or to the broadcast address. As a result, all three stations will see very little network traffic and will be able to transmit immediately. This is a powerful feature that goes a long way toward increasing potential bandwidth. Given our example, if this is a 10Mbps topology, the effective throughput has just increased by a factor of 3. This is because all three sets of systems can carry on their conversations simultaneously, as the switch isolates them from each other. While it is still technically 10Mbps Ethernet, potential throughput has increased to 30Mbps.
Besides increasing performance dramatically, you have also increased security. If any one of these systems becomes compromised, the only sessions that can be monitored are sessions with the compromised system. For example, if an attacker gains access to Server 2, she will not be able to monitor communication sessions with Servers 1 or 3, only Server 2.
This is because monitoring devices can only collect traffic that is transmitting within their collision domain. Since Server 2’s collision domain consists of itself and the switch port it is connected to, the switch does an effective job of isolating System 2 from the communication sessions being held with the other servers.
While this is a wonderful security feature, it does make legitimate monitoring of your network somewhat cumbersome. This is why many switches include a monitoring port.
A monitoring port is simply a port on the switch that can be configured to receive a copy of all data transmitted to one or more ports. For example, you could plug your analyzer into port 10 of the switch and configure the device to listen to all traffic on port 3. If port 3 is one of your servers, you can now analyze all traffic flowing to and from this system.
This can also be a potential security hole. If an attacker is able to gain administrative access to the switch (through telnet, HTTP, SNMP, or the console port), she would have free rein to monitor any system connected to, or communicating through, the switch. To return to our example, if the attacker could access Server 2 and the switch itself, she is now in a perfect position to monitor all network communications.
Note Keep in mind that bridges, switches, and similar networking devices are designed primarily to improve network performance, not to improve security. Increased security is just a secondary benefit. This means that they have not received the same type of abusive, real-world testing as, say, a firewall or router product. A switch can augment your security policy, but it should not be the core device to implement it.