By Kelly Jackson Higgins
It's been floating on the Web for months now--a hacker's recipe for breaking into a major ATM switch. The mere existence of such a blatant security threat rendered Christopher Newport University's decision last year to drop ATM for Gigabit Ethernet even more profound. VLANs (virtual LANs) play a huge role at the school,and they are a lot safer in the university's new IP-based gigabit network architecture, which is comprised of close to 30 VLANs that divide the network into logical workgroups, such as a specific dormitory, student club and university administration. CNU also is deploying VLAN "tagging" technology, which allows a switch port or server to be configured to support multiple VLANs. "Our VLANs isolate equipment and keep it safe," says John Savage, computer systems senior engineer for the liberal arts university in Newport News, Va.
Unlike CNU's old ATM VLANs, which were based on IP addresses alone and thus vulnerable to attack, Gigabit Ethernet VLANs create IP-based workgroups based on physical connections. These workgroups are invisible to one another even though they run on the same physical network. VLAN tagging lets workgroups share peripherals and servers.
With CNU's four Alteon ACEswitch 180 Gigabit Ethernet switches, which handle all IP routing, Savage and other network-support technicians configure the switch ports to determine which workstations and workgroups can talk to which VLANs. If a student is assigned only to the student computer laboratory on VLAN #10, for instance, he or she can't stray from the confines of that lab network. Even if a rogue student somehow captured the Ethernet switch's IP address and password, he or she still couldn't reach the switch itself or a VLAN of which the student wasn't a member, such as a faculty VLAN, Savage says.
"You can't physically reach the switch without kicking down the door and breaking into it manually," he says.
Meanwhile, VLAN tagging lets CNU put high-end shared servers such as its e-mail server in multiple VLANs to avoid excess routing, and thereby improve performance.
VLANs have a catch: While they may be easy to configure, doing so requires some knowledge of just how users on the virtual networks work together. "You have to know who's in a logical workgroup and who's doing what," Savage says. "If you're setting up a VLAN and you don't know who is doing what kinds of work with whom, you can easily set it up incorrectly."
CNU enjoys yet another level of security with its new Alteon gigabit-speed switches--IP filtering transforms the switches into mini-firewalls that determine who can go where based on IP addresses. That's safer than ATM-based VLANs, according to Savage. "You can set up filtering rules to allow and disallow access," he says. "It's not a full-blown router, but it satisfies internal security needs," such as keeping student LANs separate from administrative ones.
|
|
|
|
For a gif file of the Centerfold
graphic, click here.
 For an Adobe Acrobat format version of the Centerfold graphic, click here.
Centerfolds
A Complete Guide to Network Computing's Centerfold articles
 Print This Page
 E-mail this URL
|
REPORTS
ANALYTICS
Follow 
