2 cissp ® Official Study Guide Eighth Edition

Download 19,3 Mb.

Pdf ko'rish

bet	509/881
Sana	08.04.2023
Hajmi	19,3 Mb.
	#925879

1 ... 505 506 507 508 509 510 511 512 ... 881

Bog'liq
(CISSP) Mike Chapple, James Michael Stewart, Darril Gibson - CISSP Official Study Guide-Sybex (2018)

Virtual LAN
A
virtual local area network (VLAN)
is a hardware-imposed network segmentation cre-
ated by switches. By default, all ports on a switch are part of VLAN 1. But as the switch
administrator changes the VLAN assignment on a port-by-port basis, various ports can be
grouped together and kept distinct from other VLAN port designations. VLANs can also
be assigned or created based on device MAC address, mirroring the IP subnetting, around
specified protocols, or based on authentication. VLAN management is most commonly
used to distinguish between user traffic and management traffic. And VLAN 1 very
typically is the designated management traffic VLAN.
VLANs are used for traffic management. Communications between members of the
same VLAN occur without hindrance, but communications between VLANs require a
routing function, which can be provided either by an external router or by the switch’s
internal software (one reason for the terms
L3 switch
and
multilayer switch
). VLANs are
treated like subnets but aren’t subnets. VLANs are created by switches. Subnets are created
by IP address and subnet mask assignments.
VLAN management
is the use of VLANs to control traffic for security or performance
reasons. VLANs can be used to isolate traffic between network segments. This can be
accomplished by not defining a route between different VLANs or by specifying a deny
filter between certain VLANs (or certain members of a VLAN). Any network segment that
doesn’t need to communicate with another in order to accomplish a work task/function
shouldn’t be able to do so. Use VLANs to allow what is necessary and to block/deny any-
thing that isn’t necessary. Remember, “deny by default; allow by exception” isn’t a guideline
just for firewall rules but for security in general.
VLANs function in much the same way as traditional subnets. For communications to
travel from one VLAN to another, the switch performs routing functions to control and
filter traffic between its VLANs.
VLANs are used to segment a network logically without altering its physical topology.
They are easy to implement, have little administrative overhead, and are a hardware-based
solution (specifically a layer 3 switch). As networks are being crafted in virtual environ-
ments or in the cloud, software switches are often used. In these situations, VLANs are not
hardware-based but instead are switch-software-based implementations.
VLANs let you control and restrict broadcast traffic and reduce a network’s vulner-
ability to sniffers because a switch treats each VLAN as a separate network division. To
communicate between segments, the switch must provide a routing function. It’s the rout-
ing function that blocks broadcasts between subnets and VLANs, because a router (or any
device performing layer 3 routing functions such as a layer 3 switch) doesn’t forward layer 2
Ethernet broadcasts. This feature of a switch blocks Ethernet broadcasts between VLANs
and so helps protect against broadcast storms. A
broadcast storm
is a flood of unwanted
Ethernet broadcast network traffic.

546
Chapter 12
■
Secure Communications and Network Attacks
Another element of some VLAN deployments is that of port isolation or private ports.
These are private VLANs that are confi gured to use a dedicated or reserved uplink port.
The members of a private VLAN or a port-isolated VLAN can interact only with each
other and over the predetermined exit port or uplink port. A common implementation of
port isolation occurs in hotels. A hotel network can be confi gured so that the Ethernet
ports in each room or suite are isolated on unique VLANs so that connections in the same
unit can communicate, but connections between units cannot. However, all of these private
VLANs have a path out to the internet (i.e., the uplink port).
VLANs work like subnets, but keep in mind that they are not actual
subnets. VLANs are created by switches at layer 2. Subnets are created
by IP address and subnet mask assignments at layer 3.
vlAN management for Security
Any network segment that does not need to communicate with another to accomplish a
work task/function should not be able to do so. Use VLANs to allow what is necessary,
but block/deny anything not necessary. Remember, “deny by default; allow by exception”
is not just a guideline for fi rewall rules but for security in general.
Virtualization
Virtualization
technology is used to host one or more operating systems within the memory
of a single host computer. This mechanism allows virtually any OS to operate on any hard-
ware. Such an OS is also known as a guest operating system. From the perspective that
there is an original or host OS installed directly on the computer hardware, the additional
OSes hosted by the hypervisor system are guests. It also allows multiple operating systems to
work simultaneously on the same hardware. Common examples include VMware/vSphere,
Microsoft’s Hyper-V, VirtualBox, XenServer, and Apple’s Parallels.
Virtualized servers and services are indistinguishable from traditional servers and
services from a user’s perspective.
Virtualization has several benefi ts, such as being able to launch individual instances
of servers or services as needed, real-time scalability, and being able to run the exact OS
version needed for the needed application. Additionally, recovery from damaged, crashed,
or corrupted virtual systems is often quick: Simply replace the virtual system’s main hard
drive fi le with a clean backup version and then relaunch it.
In relation to security, virtualization offers several benefi ts. It is often easier and faster
to make backups of entire virtual systems than the equivalent native hardware-installed
system. Plus, when there is an error or problem, the virtual system can be replaced by
a backup in minutes. Malicious code compromise or infection of virtual systems rarely
affects the host OS. This allows for safe testing and experimentation.

Virtualization
547
VM escaping
occurs when software within a guest OS is able to breach the isolation
protection provided by the hypervisor in order to violate the container of other guest OSs
or to infiltrate a host OS. Several escaping vulnerabilities have been discovered in recent
times. Fortunately, the vendors have been fast to release patches. For example, Virtualized
Environment Neglected Operations Manipulations (VENOM) was able to breach numer-
ous VM products that employed a compromised open-source virtual floppy disc driver to
allow malicious code to jump between VMs and even access the host.
VM escaping can be a serious problem, but steps can be implemented to minimize the
risk. First, keep highly sensitive systems and data on separate physical machines. An orga-
nization should already be concerned about overconsolidation resulting in a single point
of failure, so running numerous hardware servers so each supports a handful of guest OSs
helps with this risk. Keeping enough physical servers on hand to maintain physical isola-
tion between highly sensitive guest OSs will further protect against VM escaping. Second,
keep all hypervisor software current with vendor-released patches (especially with updates
related to VM escaping vulnerabilities). Third, monitor attack, exposure, and abuse indexes
for new threats to your environment.
Virtualization is used for a wide variety of new architectures and system design solutions.
Cloud computing is ultimately a form of virtualization (see Chapter 9, “Security Vulnerabilities,
Threats, and Countermeasures,” for more on cloud computing). Locally (or at least within an
organization’s private infrastructure), virtualization can be used to host servers, client operating
systems, limited user interfaces (i.e., virtual desktops), applications, and more.

Download 19,3 Mb.

Do'stlaringiz bilan baham:

1 ... 505 506 507 508 509 510 511 512 ... 881