Uses of VLAN (Virtual Local Area Network) in Wireless Network
Abstract
This paper focuses on analyzing the uses of Virtual LAN in a wireless network, including the different processes that are needed to be done in order to ensure the effectiveness of LAN. It had found out that VLAN’s role is just the same in wired and wireless network, which focus on creating a logical workgroups that is independent of physical location.
Introduction
Virtual Local Area Network or VLAN is a group of logically networked devices on one or more LANs that are configured in order for them to communicate, as if they were attached to the same wire, when in fact they are located on a number of different LAN segments (Javvin n.d.). VLAN local are network are incorporated into most firewalls that are available for both the gateway and internal use in the LAN. Today, many organizations are relying on VLAN technology as their primary means of security in separating zones of trust (Tipton & Krause 2006, p. 113).
As of now, more and more people are becoming fascinated and dependent on wireless computing due to different reasons, primarily the issue of accessibility which enables the user to be connected in the network minus the limitation of wired, and the freedom to reposition hardware in a given space. Wireless network security is considered as a top concern among those individuals, groups or organizations who are interested in deploying wireless networks (Cisco 2009). Security is considered as one of the most important factor that is connected to wireless network because it is somewhat more open to unauthorized access, compare with the wired, which is considered as the safest way to connect to a network. Fortunately, both users’ knowledge about the security of wireless network, together with the solution that is being offered by technology vendors are improving which result to amore comprehensive security capabilities (Cisco 2009).
Literature Review
The application of VLANs with wireless environment is becoming more and more popular. At first, VLANs were used only for wired environment, and all the access points were placed on a single VLAN. However, as time goes by, many of enterprise-class wireless devices are already supporting VLANs over RF. As a result, it enables to place wireless device into different VLANs, all while communicating with the same access point (Wireless Center n.d.).
How VLAN’s Work?
When the bridge of LAN receives data from a given workstation, it tags the data with VLAN identifier which inform the VLAN from which the data came or called the process of explicit. On the other hand, it can also be done by using implicit tagging, where in the data is not tagged, however the VLAN from which the data came is recognize based on other information including the port where in the data arrived which (Varadarajan 1997).
VLANs are classified according on the method that was used. Thus, in order to tag data using any method, the bridge would have to keep an updated database which contains a mapping between VLAN’s and other field is used for tagging. With the help of the database, the bridge can determines where the data is to go next with accordance on the normal LAN operations. Once, the bridge determines where the data to go, it needs to determine whether a VLAN identifier should be added to the data and sent. If the data is to go to a device that knows about VLAN implementation or called VLAN-aware, the VLAN identifier will be added to the data. If it is to go to a device that has no knowledge of VLAN implementation, or known as VLAN-unaware, the bridge sends the data without the VLAN identifier (Varadarajan 1997).
Types of VLAN Solutions
There are several common types of VLANs based on the use of switches beyond port-based VLANs such as MAC-based, protocol-based and software-defined VLANs (Held 2008, p. 13).
A MAC-based VLAN results in the 49-bit MAC address being used for VLAN creation. On the other hand, a protocol-based VLAN can use Layer 3 data within frames in order to create VLANs that are based on the protocol such as IP and NetWare or an IP address if all frames are IP frames. Software-defined VLANs are VLANs that was formed based on a switch looking into the frame to observe Layer 4 through Layer 7 conditions in order to associate the frame to a VLAN (Held 2008, p. 13).
On the other hand, membership by port group is considered as the simplest method of defining VLANs. VLANs can be easily defined by the user’s switch port. By using this method, the best implementation is to use Layer 2 switches to collapse shared hubs for increased port density. The configuration is fairly straightforward, which is usually done through a command line or through a network management application, where the administration defines a VLAN and associates user ports to each VLAN. However, defining VLANs by port group does not allow multiple VLANs to include the same switch port which make it time consuming (Theoharakis & Serpanos 2002, p. 53).
Function of VLAN
VLANs function in much the same way as the traditional subnets. In order for communications to travel from one VLAN to another, the switch operates as a router in order to control and manage, at the same time, filter the traffic between its VLAN. Thus, it is used in order to logically partition a network without altering its physical topology. Thus, VLANs are easy to implement, because they have little administration overhead, and are hardware-based solution. On the other hand, VLANs let the user to control, at the same time, restrict broadcast traffic and lessen the vulnerability of the network towards sniffer. Broadcast traffic isn’t automatically forwarded from one VLAN to another, and the sniffer can only see traffic on the segment to which it is connected. This feature of switch to block broadcasts between VLAN, help to secure and protect against broadcast storms, the flood of unwanted broadcast network traffic (Stewart 2004, p. 93).
Therefore it can be said that VLAN can help to reduce the size of broadcast domain, due to reduction of the overhead resulting from the transmission of ARP and other messages. It can also facilitate subnet creation. Instead of having to move cables in physical manner, VLAN enables to configure different VLANs in order to occur electronically to represent required subnets which reduce the effort that are required in order to create subnet. Above all, it can also help to reduce hardware requirements because it eliminates the need for configuring subnets through cabling (Held 2008, pp. 12 – 13).
Research Methodology
Quantitative method will be used in this study because it allows the research problem to be conducted in a very specific and set terms (Frankfort-Nachmias & Nachmias, 1992). All of the information used in this paper was based on secondary resources or studies, researchers and paper done by authors regarding the said issue. It uses online and offline resources such as books, articles and journals, which enables the author to gather information about the subject or topic.
Findings and Discussion
VLANs in Wireless Network
VLANs in a wireless environment have the same purpose as in wired network, that is to separate devices into groups of specific services. Thus, VLAN can help to accomplish better security, performance and scalability (Hurley & Barken 2006, p. 160).
In a wireless network, there are no cables or ports which user must connect to. Therefore, it there is a great need for a mechanism which will help to separate and identify wireless users or devices which belong in different VLANs. This primary or basic process of identifying to which VLAN user a device needs to be mapped to in a wireless environment is accomplish by using SSIDs or the public name of a wireless LAN (WLAN). There is also a different and more secure manner of defining a user or device VLAN assignment on a wireless network and it can be done via the use of a RADIUS service. On the other hand, SSIDs are used in order to map to unique VLAN IDs in order to help the access point to recognize as well as connect users to its proper VLAN assignment. SSIDs are not used for security purposes, but their main purpose is to separate users into groups, so that the access points can identify and match an individual device into a properly configured VLAN. After the process of separation was recognized, and after the user was mapped to the appropriate VLAN, the device must pass the VLAN – configured security policy before the user will be allowed to use the mapped VLAN on the wired side in full manner (Hurley & Barken 2006, p. 160).
Compartmentalize Traffic and Improve Performance
VLAN is helpful in gateway control. Gateway solutions create a special sub-net for wireless traffic. Instead of using normal routers, these sub-nets have gateways which require authentication before packets can be routed. The sub-net can be created with the use of VLAN technology, with the help of IEEE 802.1Q standard. With the use of the use of the said standard, the administrators can combine selected ports from different switches into a single sub-net. The said event is possible even if the switches are geographically separated, for as long as VLAN trunking is supported on the intervening switches. Nodes that use VLAN ports cannot access different addresses on other sub-nets without going through router or gateway, even if those other subnets are located on the same physical switch as the VLAN ports (Tipton & Krause 2006, p. 565).
After the VLAN is created, administrators will need to create a gateway that will pass traffic only from authorized users. A VPN gateway can be applied or use because the VPN server’s function is to require an endpoint. By using a VPN server as a gateway, it will require authentication of tunnel endpoint and encryption of the wireless stream with a key that is unique to the tunnel, therefore ensuring the elimination of the need to use the share key of WEP. VPN approach is not always ideal; therefore it can also help to use a special firewall gateway. This can be observe o the case of Georgia Tech which uses the IP Tables firewall function in the latest Linux Kernel in order to provide a packet filtering. It uses VLAN approach in order to aggregate wireless traffic to one gateway, but instead of being a VPN, this gateway is dual-homed UNIX server running specialized code. When the system joins the wireless network, the firewall/router gives it a DHCP address. In order to authorize access, the client must open a Web browser, the HTTP will then request from the client to triggers an automatic redirect authentication page from the gateway and the authentication request is passed to a Kerberos server. If the authentication is successful, a Perl script adds the IP address to rule file, making it a known address to the IP tables firewall process (Tipton & Krause 2006, p. 565).
Over the air, 802.11 data packets may be prioritized by using 802.11e Quality of Service or QOS. It is important to consider the fact that it is impossible to control access to the air; however it is possible to permit or deny wireless access point by using 802.1X port access controls. VLAN tags can tie these wireless security and performance measures for the wired network (SearchNetworking.com 2006).
For instance, all of wireless access points could be group into a single VLAN, assigned an identifier not used by the Ethernet workgroup. The Edge switches could apply the wireless VLANs tag to the packet which received from access pint. Upstream switches could also funnel all wireless VLAN traffic to Internet access routers, and network layer ACLs could help to prevent wireless VLAN traffic from reaching other destinations inside the network of the company. One of the problems that can be associated with the said scenario is that separating arriving traffic over wireless network is only appropriate with those which use 802.11 in order to offer guest Internet access. In addition, wireless traffic might also be assigned in lower priority, in order to give way for the switches and routers service other traffic first. A wireless traffic might also be used to group APS and stations into one IP subnet, independent of location. In that way, when wireless station roam between access points, they can renew the same IP, which help to avoid TCP session and VPN tunnel disruption. Above all, this single VLAN approach suffers the same problem facing the physical LANs, and that is as the size of the wireless network grown, the VLAN becomes congested, as the wireless network becomes more diverse, the most important action to be done is to separate the workgroups into several VLANs (SearchNetworking.com 2006).
Fortunately, 802.1Q tagging offers a foundation that is needed in order to map wireless traffic multiple VLANs. When traffic from a wireless access point is concentrated through 802.1Q-capable wireless switch or gateway, that device can tag packets before forwarding them. For instance, a wireless gateway can sit between access point and a protected network, authenticating stations and then place them into roles or ACLs and VLAN tags to be applied to any packet that is authorized to pass through the gateway (SearchNetworking.com 2006).
On the other hand, an 802.1Q capable access point can tag packets that are arriving over 802.11 before bridging those packets onto distribution network. In simple term, the said access point can act like an edge switch, tagging packets before pushing them over a VLAN trunk to any upstream switch, gateway or router. Instead of basing those tags on ingress switch port, the AP may base tags on ingress Wireless LAN (WLAN) (SearchNetworking.com 2006).
Any of the said method can be used in order to separate wireless traffic into several VLANs as need to satisfy the objectives of the network. For instance, VLANs could be used to separate wireless voice from data, giving RTP priority over the air and Ethernet. VLANs can also help to separate management traffic from end user traffic, which help to reduce the risk of administrative compromise. Above all, WLANs can use RADIUS to map VLAN tags to traffic streams (SearchNetworking.com 2006).
Security
VLAN can help secure wired and wireless network if best practices are followed. It is important to restrict management access to the VLAN, because it can help to ensure that parties on non-trusted networks cannot use and exploit the interface and protocols of management. VLAN can also help to prevent denial of service attack (DoS), however, it is important to lock down spanning tree and other dynamic protocols. It is also important to use port security mechanism to limit the number of allowed MAC addresses, and eventually help to protect against a MAC flooding attack (@stake 2002).
In addition, a group of users that need an unusual high level of security can be put into its own VLAN, so that users outside the VLAN can’t communicate with them (). It will mean greater security, because the user will have a sort of privacy that is important because of sensitivity and confidentiality of data that they are sending or receiving. In addition, as a logical grouping of users by function, VLANs can be considered independent from their physical or even geographic locations (Lammle 2007, p. 106).
Aside from the said characteristics, another important attribute of VLAN which is connected with security is authentication an encryption. Each VLAN can have its own authentication and encryption policy (Hurley & Barken 2006, p. 165).
Conclusions and Recommendation
After analyzing the different factors that are associated with the uses and application of VLANs in wireless environment, it can be said that it has the same purpose as in a wired network. VLANs focus on separating devices into groups of specific services which help to have better security, performance or scalability (Wall & Kanclitz 2004). In WLAN, stations that are connected in a switch are members of the broadcast domain. Broadcast packets are sent by each station, and receive by every other station in that particular domain. But as time goes by, contention and overhead grow along with domain size and eventually the network will get congested and bogged own by collisions. Fortunately, the said situation can be prevented by decomposing one physical LAN into several smaller logical broadcast domains or what we call the VLAN. Just like the physical LAN, VLANs can also share physical media, but the traffic is segregated into separate broadcast domain. Therefore, those stations that are participating in a specific VLAN will receive packets that are sent by all other stations that are connected to a given VLAN, and not from other VLANs (SearchNetwork.com 2006).
As a result, VLANs enable to manage and control traffic, at the same time increase or improve security in the network. This is because of the fact that it groups the users in a given network, which enables those grouped entities to communicate in a network. This is important because, confidential and important information are being exchanged and shared in the network. This is the primary reason why VLANs have been used by different enterprise for their networks, because it helps to create a logical workgroup that is independent of physical location. These help the company to classify the different groups inside the organization based on their authenticity level in the network.
For some reason, VLANs can help to compartmentalize traffic, improve performance and ensure security in both wired and wireless networks. Yet, VLANs must be configured with care in order to avoid mistakes that hold back correct operation or compromise security (SearchNetwork.com 2006). The Certified Wireless Security Professional or CWSP Study Guide recommends the following:
- Traffic pushed over trunks between access points and switches should be filtered in order to allow only packets belonging to active wireless VLANs;
- In order to avoid dynamic VLAN reconfiguration, access point should not use the Generic VLAN Registration Protocol or GVRP;
- Broadcast and multicast traffic to the AP should be filtered, for instance, by using Internet Group Management Protocol or IGMP snooping;
- ACLs should be used in order to map wireless security to wired infrastructure;
- ACLs should be used in order to avoid end user to access to the access point’s default VLAN (SearchNetwork.com 2006).
References
Cisco 2009, Securing Wireless Networks, viewed 22 April 2009, < http://www.cisco.com/en/US/solutions/collateral/ns339/ns639/ns642/net_customer_profile0900aecd803ee938.html >
Held, G 2008, Carrier Ethernet: Providing the Need for Speed, CRC Press
Hurley, C & Barken, L 2006, How To Cheat At Securing A Wireless Network, Syngress
Javvin, VLAN: Virtual Local Area Network and IEEE 802.1Q, viewed 22 April 2009, < http://www.javvin.com/protocolVLAN.html>
Lammle, T 2007, CCNA: Cisco Certified Network Associate: Fast Pass, John Wiley and Sons
SearchNetworking.com 2006, Using VLAN to Compartmentalize WLAN Traffic, viewed 23 April 2009, <http://searchnetworking.techtarget.com/generic/0,295582 ,sid7_gci1168965,00.html>
Stewart, J M 2004, Security Fast Pass, John Wiley and Sons
Tipton, H & Krause, M 2006, Information Security Management Handbook, CRC Press
Varadarajan, S 1997, Virtual Local Area Network, viewed 22 April 2009, < http://www.cse.wustl.edu/~jain/cis788-97/ftp/virtual_lans/#WhatVLAN>
Wall, D, Kanclitz, J, Jing, Y, Faircloth, J & Barrett, J 2004, Managing and Securing a Cisco Structured Wireless-Aware Network, Syngress
Wireless Center, Deploying VLANs over Wireless, viewed 23 April 2009, <http://www.wireless-center.net/news/Deploying-VLANs-over-Wireless.html>
@stake 2002, Secure Use of VLANs: An @stake Security Assessment, viewed 23 April 2009, <http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/tech/stake_wp.p df>
Credit:ivythesis.typepad.com
0 comments:
Post a Comment