In general, when you a designing an application you should at a broader level consider security at all layers -client, server, network , database, storage, physical location, data center (list is not complete).
Security is such a vast topic that I plan to write blogs as and when I get time to explain various aspects of the same. When it comes to security I like to think of slicing the same into following areas
- Client layer security (Examples: anti-virus, GPO policies, encrypting cookies etc.)
- Application security (Examples: authentication, roles, federated single sign on etc.)
- Server security (Examples: patching, HTTP+SSL, GPO policies, anti-virus etc.)
- Storage security (Examples: Encrypting data; database encryption, SAN security etc.)
- Network security (Examples: VLAN, routers, ACL, DMZ, ASA, IDS/IPS etc.)
- Physical location security (Examples: securing premises, policies in place for personnel’s etc.)
- Security scan tools (Examples: Kali (Backtrack), Metasploit, IBM AppScan etc.)
In this blog I am going to focus on Network security and will start with VLAN and how to create and configure them using cisco’s Packet Tracer (using Packet tracer as GNS3 cannot emulate some of the advance switching features).
What is VLAN?
Virtual LAN is a concept applicable at the OSI layer 2; it provides logical separation of various department resources. Say we have two departments “Sales” and “Finance” and we do not want the network traffic of Finance to co-mingle with that of Sales in case if there is someone doing packet sniffing and gets hold of sensitive information. So does it mean we do not need routers, the answer is “no”, if you want to have inter-VLAN traffic flow you need a router. In the following example I will show how to configure a simple “Router on a Stick” configuration to show what I mean by that. I am not going to spend more time in this blog in listing various benefits of VLAN as I want to focus on hands on experience first.
In the diagram below I have two switches with a router configured to provide inter-VLAN communication.
Let’s start with the VLAN configuration
Summary of what the above diagram is
I have defined following VLAN’s – VLAN 10, VLAN 20. The above diagram shows virtual computers (name starting with prefix “PC-“) that are assigned either to VLAN 10 or VLAN 20. What that means is computers that are assigned to VLAN 10 will not be able to communicate with computers assigned to VLAN 20 unless the router is configured to allow that to happen. So if we did not have the router in the picture and had just switches connected to each other then we will have isolations between computers in each VLAN. We can then make users in “Sales” department use computers connected to ports in VLAN 10 on the switch and users in “Finance” department use computers connected to ports in VLAN 20 on the switch.
You might be tempted to ask what is preventing users from “Sales” department connecting their computers to ports meant for “Finance”, The answer is nothing but you can prevent that from happening by using port security techniques like
- Hardcoded mac-address list that’s allowed on each switch port
- Allowing sticky mac-address with a maximum of “one” which means the mac-address of the first computer that you connect to the switch port will be stored by the switch and after that if someone tries to connect a different computer to the same port the switch will automatically disable the switch port.
In the above network diagram the routers role is to control the access of resources across VLAN.
NOTE: When I speak about switches and routers I speak from OSI network layer stand-point; since switches operate at Layer 2 (Physical Layer) and routers operate at Layer 3 (Network Layer), however this distinction is blurry these days with the use of Layer 3 switches that operate at both OSI Layers (1&2). What that means is the functionality of router is built into the switch and the need to have a separate router is not there.
Steps done for configuration
SWITCHES
- Let’s configure the interface between SW1 and Router R1 to be “trunk” and enable “802.1Q” tagging between SW1 and Router R1
!
interface FastEthernet0/1
switchport mode trunk
switchport trunk encapsulation dot1q
interface FastEthernet0/1
switchport mode trunk
switchport trunk encapsulation dot1q
- Let’s configure the interface between SW1 and SW2 to be “trunk” and enable 802.1Q” tagging between SW1 and SW2
Switch ports/interfaces can be set up in various modes as listed below –
- trunk port is used to pass multiple VLAN traffic between switches and between switch and a router
- access port is used to connect computers to a specific VLAN
- Then there is dynamic mode which I am not going to elaborate to stay focused on this blog topic.
!
interface FastEthernet0/6
switchport mode trunk
switchport trunk encapsulation dot1q
NOTE: Within cisco world there are two types of tagging, “ISL” and “802.1Q” the former is cisco proprietary the latter is a standard. Some cisco switches only allow 802.1Q tagging and in that case the command “switchport trunk encapsulation” is not there. Tagging basically allows switches to identify which frame belongs to which VLAN when the frames go between switches.
- Let’s configure the interface between SW1 and the PC to be “access” and assign specific VLAN ID to them.
interface FastEthernet0/2
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/3
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/4
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/5
switchport access vlan 20
switchport mode access
That’s it for the switch configuration. The configuration for Switch “SW2” is similar and I do not want to repeat the above steps again.
ROUTER
Let’s define logical sub-interfaces from router to the switch (SW1), one logical sub-interface per VLAN and then assign separate subnets for each VLAN as show below. We need to use “802.1Q” tagging between router and switch (encapsulation dot1Q
!
interface GigabitEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.10.11 255.255.255.0
!
interface GigabitEthernet0/0.20
encapsulation dot1Q 20
ip address 192.168.20.11 255.255.255.0
!
That’s it for the router configuration.
COMPUTERS
The only thing left to do is to configure the computers be in the same subnet as the respective router sub-interfaces and make the router’s sub-interface IP the default gateway for each computer. I am not going to show how that’s done as that’s pretty basic 101; all you need to do is configure the NIC card on the computer. You do not need to define any VLAN information on the computers as they are unaware of the VLAN they belong to, all the VLAN details come from the switch port each of those computers are connected to.
If you want to configure the NIC card automatically on each computer you can if you want enable DHCP services on the router and then assign the IP, subnet mask, Default gateway etc. from the DHCP server instead of manually doing it on each computer. But since this is just a lab I did the manual way.
One thing to note is without the router the computers in different VLAN cannot communicate. The router is what does the routing for the different VLAN’s. VLAN is a layer 2 (physical layer) concept and routers operate at Layer 3 (network layer) routers only know IP they do not understand frames which is what switches understand. As I said before this distinction is blurry with Layer 3 switches. Hope to write the next blog which is on “ACL, DMZ, ASA and IDS/IPS”.