Unsafe areas
As used in local area network broadcast, so if you can listen to a broadcast domain to all packets, a hacker that can analyze the information packet, then the broadcast domain will be exposed to hackers messaging before.
Network segmentation
Network segmentation is an important measure to ensure safety, but also a basic measure, its guiding ideology is that the illegal users and network resources will be isolated from each other, so as to achieve the purpose of unauthorized access to restricted users.
Network segmentation can be divided into physical and logical sub-section in two ways:
Section usually refers to the physical network from the physical layer and data link layer (ISO / OSI model, the first layer and second layer) is divided into a number of network segments, each segment can not be direct communication between each other. Currently, many switches have some access control capabilities, enabling the physical network segmentation. Logic section refers to the entire system in the network layer (ISO / OSI model, the third layer) on sub. For example, TCP / IP network, the network can be divided into several IP subnets, the subnets must be through a router, routing switches, gateways or firewalls and other devices to connect, use of these intermediate devices (including software, hardware) security mechanism to control access to all subnets. In practical applications, usually to the physical and logical sub-sub-combination approach to achieve network security control.
VLAN Implementation
VLAN technology is mainly based on recent development of LAN switching technology (ATM and Ethernet switching). Switching the traditional broadcast-based LAN technology for the connection-oriented technology. Therefore, the network management system the ability to restrict the scope of LAN communications without spending much through the router.
Ethernet-based broadcasting mechanism in nature, but the application of the switches and VLAN technology, the fact into point to point communication, unless I set up monitoring, information exchange, there will not listen and inserted (change) problem.
Run by the above mechanism to bring the benefits of network security is obvious:
Information should be accessible only to reach the site. Therefore, to prevent the majority of the invasion of tools based on network monitoring.
Through virtual network access control settings, so that the virtual network, a network node can not directly access the virtual nodes within the network.
However, the virtual network technology also brings new security issues:
Implementation of the virtual network devices to exchange more complex, and thus become the object of attack. Web-based Broadcast Monitoring Technology Principles of invasion in high-speed switching network requires special settings. MAC-based VLAN can not prevent MAC spoofing attack.
MAC-based VLAN classification will face the fake MAC address of the attack. Therefore, VLAN switch port based on the division of the best. But this requires the network port or desktop using the exchange to exchange port for each segment where the machines belong to the same VLAN.
The distinction between the principle of VLAN
VLAN classification approach aims to ensure the safety of the system. Therefore, in accordance with system security can be classified by VLAN; can be the headquarters of the server system designated as a separate VLAN, such as database servers, e-mail server. Can also be classified according to institutional settings to VLAN, such as where the network will lead the individual as a Leader VLAN (LVLAN), other divisions (or the lower ones), as a VLAN, and VLAN control LVLAN and other information between the one-way flow, which allows VLAN LVLAN view other relevant information, other VLAN can not access LVLAN information. Within the VLAN using the exchange to achieve the connection, VLAN and VLAN routing between the use of implementation. Because the limited capacity of the routing control, can not be achieved LVLAN and other one-way flow of information between VLAN, VLAN and other needs LVLAN set a Gauntlet firewall between the isolation device as a security, VLAN and VLAN control information exchange between.