Segmenting networks with VLANs

Logically Tunneled

Mapping of Devices and Users

The safe and reliable assignment of users and devices to the correct VLAN enhances security and allows for unique authentication and authorization of users. A node is authenticated by the authenticator at the network access point, a physical port on the corporate network, a VLAN, or a WiFi using this method. The authenticator checks the credentials submitted by the node by means of an authentication server and allows access to the services offered by the authenticator (LAN, VLAN, or WiFi) or rejects access. An endpoint is only capable of communication within the allocated network resources after authorization.

The standard recommends the Extensible Authentication Protocol (EAP) or the PPP EAP TLS authentication protocol. Generally, the services of the authentication server are provided by the RADIUS server (Figure 2). The network access port is a connection point between the supplicant and the unit to which it wants access. IEEE 802.1X envisages three possible network access types for the supplicant:

  • force-unauthorized: Blocks any access of the supplicant. It does not matter whether the supplicant successfully authenticates.
  • force-authorized: Access is always granted to the supplicant. It is not important whether the supplicant can authenticate against the authenticator.
  • auto: Requires successful authentication of the supplicant. Once the supplicant has successfully authenticated, access is granted, otherwise access is blocked.
Figure 2: Which user belongs where? Authentication via EAP mostly relies on RADIUS.

One big advantage in the use of IEEE 802.1X is RADIUS Access-Accept messages from the authentication server to the authenticator. RFCs 2869 and 3579 (RADIUS Extensions) describe a large set of attributes provided by the authentication server to the authenticator. Three interesting attributes here are Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Private-Group-ID. At the end of RADIUS authentication, the RADIUS server sends an Access-Accept message to the Network Access Server (NAS). If these three attributes are appended to the Access-Accept message, the NAS can now add the supplicant to a VLAN. The VLAN ID is delivered in the attribute Tunnel-Private-Group-ID of the response package.

Conclusions

In this article, I looked at the technical details of VLANs, which help to set up logical network segments. The devices and services are separated at the software and hardware level thanks to network virtualization, and the data streams can be transmitted in parallel. However, VLANs do not provide truly comprehensive security and must be supplemented by additional security measures, where needed.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • GENEVE network tunneling protocol
    LAN data transmission has evolved from the original IEEE 802.3 standard to virtual extensible LAN (VXLAN) technology and finally to today's Generic Network Virtualization Encapsulation (GENEVE) tunneling protocol, which offers improved flexibility and scalability, although it still faces some issues. We look at the three technologies and their areas of application.
  • Network overlay with VXLAN
    VXLAN addresses the need for overlay networks within virtualized data centers accommodating multiple tenants.
  • Link Encryption with MACsec
    MACsec encrypts defined links with high performance and secures Layer 2 protocols between client and switch or between two switches.
  • VTP for VLAN management
    Cisco's VLAN Trunking Protocol for Virtual LAN management in medium to large computer networks can make a network administrator's life easier.
  • Understanding Layer 2 switch port security
    What happens when an intruder with a laptop parks at an empty cubicle and attaches to your local network? If you don't want to find out, it might be time to think about implementing some switch port security.
comments powered by Disqus