Segmenting networks with VLANs

Logically Tunneled

Mapping of Devices and Users

The safe and reliable assignment of users and devices to the correct VLAN enhances security and allows for unique authentication and authorization of users. A node is authenticated by the authenticator at the network access point, a physical port on the corporate network, a VLAN, or a WiFi using this method. The authenticator checks the credentials submitted by the node by means of an authentication server and allows access to the services offered by the authenticator (LAN, VLAN, or WiFi) or rejects access. An endpoint is only capable of communication within the allocated network resources after authorization.

The standard recommends the Extensible Authentication Protocol (EAP) or the PPP EAP TLS authentication protocol. Generally, the services of the authentication server are provided by the RADIUS server (Figure 2). The network access port is a connection point between the supplicant and the unit to which it wants access. IEEE 802.1X envisages three possible network access types for the supplicant:

  • force-unauthorized: Blocks any access of the supplicant. It does not matter whether the supplicant successfully authenticates.
  • force-authorized: Access is always granted to the supplicant. It is not important whether the supplicant can authenticate against the authenticator.
  • auto: Requires successful authentication of the supplicant. Once the supplicant has successfully authenticated, access is granted, otherwise access is blocked.
Figure 2: Which user belongs where? Authentication via EAP mostly relies on RADIUS.

One big advantage in the use of IEEE 802.1X is RADIUS Access-Accept messages from the authentication server to the authenticator. RFCs 2869 and 3579 (RADIUS Extensions) describe a large set of attributes provided by the authentication server to the authenticator. Three interesting attributes here are Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Private-Group-ID. At the end of RADIUS authentication, the RADIUS server sends an Access-Accept message to the Network Access Server (NAS). If these three attributes are appended to the Access-Accept message, the NAS can now add the supplicant to a VLAN. The VLAN ID is delivered in the attribute Tunnel-Private-Group-ID of the response package.

Conclusions

In this article, I looked at the technical details of VLANs, which help to set up logical network segments. The devices and services are separated at the software and hardware level thanks to network virtualization, and the data streams can be transmitted in parallel. However, VLANs do not provide truly comprehensive security and must be supplemented by additional security measures, where needed.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • VTP for VLAN management
    Cisco's VLAN Trunking Protocol for Virtual LAN management in medium to large computer networks can make a network administrator's life easier.
  • Understanding Layer 2 switch port security
    What happens when an intruder with a laptop parks at an empty cubicle and attaches to your local network? If you don't want to find out, it might be time to think about implementing some switch port security.
  • Virtual switching with Open vSwitch
    Virtualization with Vmware, KVM, and Xen is here to stay. But up to now, no virtual switch has supported complex scenarios. Open vSwitch supports flows, VLANS, trunking, and port aggregation just like major league switches.
  • Virtual networks with Hyper-V in Windows Server 2016
    Microsoft provides some interesting virtualization features in current and future versions of Windows Server. You can connect or isolate virtual machines, and Windows Server 2016 even supports virtual switches.
  • Wireshark

    Troubleshoot network problems with this popular protocol analyzer.

comments powered by Disqus