Cisco Systems RJ-45-to-AUX manual Switched Internetwork Security

processing).

Broadcasts are used in each and every networking protocol. How often they occur depends upon the protocol, the applications running on the network, and how these network services are used.

To avoid the older, chatty protocols, older applications have been rewritten to reduce their bandwidth needs even though bandwidth availability to desktops has increased since the applications were written. New−generation applications utilizing multimedia—such as video conferencing, Voice Over IP, Web applications, multicast, and unicast—are bandwidth−greedy and like to consume all the bandwidth they can find.

When your company or organization tries to keep up with technology, you’ll find that faulty equipment, inadequate segmentation, non−switched networks, and poorly designed networks each contribute to the problems of broadcast−intensive applications. To add insult to injury, protocol designers have found ways to propagate application data through the switched internetwork. Not only that, but by using applications from the Web that utilize unicast and multicast, you continue to receive constant broadcasts even between routers. The old rule—that a router stops broadcasts dead—doesn’t work.

As an administrator, you must make sure the network is properly segmented, to keep problems on one segment from propagating through the internetwork; you must also create ways of killing the unwanted traffic. You can do so most effectively through a combination of switching and routing. Switches have become more cost effective, allowing many companies to replace their flat network hubs and bridges with a pure switched network utilizing VLANs. As mentioned earlier, all devices in a VLAN are members of the same broadcast domain and receive all broadcasts from members of the same VLAN. The broadcasts, by default, are filtered from all ports on a switch that are not members of the same VLAN.

Routers and switches that utilize internal route processors (such as RSMs) are used in conjunction with Access layer switches and provide connections between network segments or VLANs. If one VLAN wants to talk to another, the process must be routed at Layer 3. This arrangement effectively stops broadcasts from propagating through the entire internetwork.

Security is also a benefit of VLANs and switches. A flat Layer 2 network has almost no security. Users on every network device can see the conversations that take place between all users and devices on the network. Using certain software, not only can they see the network conversations, the users can alter the data and send it on to its destination; this action is referred to as a man in the middle attack. In a flat area network, you cannot stop devices from broadcasting and other devices from trying to respond to broadcasts. Your only security lies in the passwords assigned to your workstation or other devices on the network. Unfortunately, the passwords can only be used on the local machine, not on data traversing the network. Let’s take a better look at how switches improve security in the network.

Switched Internetwork Security

In the previous paragraph, I described the network security issues in a flat internetwork that is implemented by connecting hubs and switches with routers. In this type of network, security is maintained by the router to disallow unwanted access—but anyone connecting to the physical network can easily gain access to the network resources on that physical LAN or network segment. An intrusion in your local network could easily happen when a person (even a somewhat educated employee) runs certain software (like that available in Windows NT) to analyze the network packets and obtain passwords and user information without the knowledge of the network administrators. To make matters worse, in a flat network, the intrusion can be done from any port—even at a user’s desk. The user does not need access to the wiring closet to see all the traffic in that network.

By using switches and implementing VLANs, the switch takes care of making sure that data is sent directly from the port on the switch containing the source node, and that the data only exits out the port on which the destination node resides. The switch also makes sure that when a broadcast is received, only the ports assigned to the VLAN that the source port is a member of receive that broadcast.

91