CS459/559 - Network Security - Chapter 11: Virtual Networking

1. Virtual LANs - broadcast domain (frames are broadcast within a VLAN and routed between VLANs)
   • VLAN Advantages
     • VLAN model allows for a more policy-based management structure
       (managers can group workers according to function rather than physical location)
     • network can be managed from a business perspective rather than a technical perspective (managers can assign priorities to different types of traffic)
     • DHCP (Dynamic Host Configuration Protocol) assigns Layer 3 IP addresses
     • VLANs typically use switch-based network which uses MAC addresses
     • switch-based networking minimizes attacks with protocol analyzers
   • VLAN Types
     • Port-based VLAN - port assignments are static and can only be changed by the administrator
     • MAC address VLAN - grouping of MAC addresses (for broadcast domain)
     • Layer 3 - manager assigns traffic with different protocol requirements to separate VLANs
     • Protocol policy VLAN - can designate a field within a frame to determine VLAN membership
     • Multicast VLAN - used for newsfeeds and video-conferencing
     • Policy-based VLAN - devices are assigned to VLANs based on policies
     • Authenticated user VLAN - users must be authenticated by a server
2. Virtual Private Networks - secure link over a public network (extranet)
   types of VPNs
   • directed - uses IP and addressing to establish directional control of data over VPN (uses encryption & user authentication)
   • tunneled - uses IP frames as a tunnel for sending packets (connection is bidirectional so both ends compromised if security is breached)
   ways to connect to remote sites
   • dial-up
   • leased-line
   • Internet-based
   • VPN Security
     encryption (stick an encryption / authentication device on each node):
     • firewalls with encryption
     • router with encryption,
     • other device
     • hardware vs. software encryption
     • need to use a trusted OS to shield the MAC address
     • encryption algorithms (DES, Triple-DES, IDEA, and RC4) use tunneling to shiled the source / destination IP addresses
     • Use IPSEC (defines how VPN encryptors perform authentication and negotiate the algorithm and encryption key)
   • VPN Software
     • Aventail's MobileVPN & PartnerVPN uses directed VPN model and strong encryption: uses circuit-level proxies at the session layer (authenticates user, not IP address)
     • VPLink
       • Security technology (Encryption, Authentication, key management)
       • Networking technology (IP, frame relay, ATM, Data compression)
       • Integration technology (chip level - Application Specific IC integration, System level - APIs [Secure Networking API])
       • Uses secure hashing to guarantee the integrity of the data
       • Uses SKIP (Secure Key Management for IP): access control, encryption, authentication, key and certificate management
     • Digital Secured Network TEchnology NetFortress - encrypts everything at the network layer; client's IP and MAC addresses are burned into memory