Attention: if you think VLAN = security, this article just might burst your bubble! VLAN security is less extensive than LAN security, and it decreases with:
- cable length
- the presence of “Jim” and “Pam”
- the number of ports
using a simple Ethernet cable to connect two VLAN
Experts will tell you that a switch alone can’t connect two VLAN. To do so, they’ll say, you need a router switch, and it needs to be a Level 3 VLAN. Big mistake!
In truth, a lone switch can connect two VLAN, you just need a little cable. And you can do it all on level 1. In fact, as Groucho Marx would say, “Why, this is so simple, a five-year-old child could understand it! (Go find me a five-year-old child; I can't make heads or tails of it.)”
Imagine a switch with two user VLANs. Let’s say VLAN 2 and 3. The first 12 ports are in VLAN 2, the next 12 in VLAN 3. The PC of one employee—we’ll call him Jim—is on port 1, and his colleague, Pam’s PC is on port 20. Jim plugs in an Ethernet cable between port 12 and port 24. Now VLAN 2 and 3 are connected. As long as the IP addresses aren’t duplicated, now Jim can start up an office romance with Pam!
For 2013, I’ll let you in on a “VLAN hopping ” hack that really works.
trick of the trade: an Ethernet loop for dummies
Sometimes you need to use “loops” to make a network run properly. For example, you might need to do so when you’re trying to solve certain IP address problems. My colleagues call this a “hairpin.”
So last Christmas I asked for a marvelous “Etherpin” to connect two VLANs. Here’s what it looks like:
Ethernet loop: the CPL version
To use his Etherpin, our pal Jim needs to access the switch, which is sometimes well hidden under his colleague Dwight’s collection of bobble-head dolls. Since it’s a hassle to push them out of the way, Jim just uses his PLC Etherpin. What will they think of next?
All he needs to do now is look around the office and find an available RJ45 Ethernet outlet that’s also close to an electrical outlet.
All right , no more kidding around now; this part is serious.
I’ve already told you in my first post that no one can continuously and reliably monitor a LAN’s perimeter. Maybe you thought of it as a trivial point at the time, but now you know it’s an issue that deserves some thought.
so what can you do?
Jumping out the window is not an acceptable solution. Read the post again. At the beginning I mention LAN security. Actually, if Jim plugs his PC into a wall outlet in Pam’s office, the end result will be about the same. As long as LAN resources are sufficiently protected, then using an Etherpin will not radically alter the situation.
In my opinion, trying to protect against an Etherpin isn’t worth the trouble. Protecting your LAN is a lot more effective. One easy way to do this is to set up access controls for level 3 protocols and used IP addresses (Access Control List).
Make your resolutions for 2013 . Monitor your level 3 protection, the ACLs you use in each switch, and your network routers. Overhaul the firewall. Review your intrusion detection system...
Pascal
photo credit: copyright Woody - Fotolia.com
Blog post originally published in French here.
I’ve worked on engineering Ethernet switches since 2004. I’m curious by nature, so I wanted to check out what was under the hood, and that’s where I found a mess of protocols. To me, it seems like this field is rarely covered, while the little information that is available is insufficient and often incorrect. So I want to share what I know, mainly based on lab tests and several hundred operational machines.