CertiGuide to Security+  9  Chapter 3:  Infrastructure Security (Domain 3.0; 20%)       9  3.3  Security Topologies

3.3.1.3  Extranet 1 3.3.3  NAT (Network Address Translation)

A VLAN, or Virtual LAN, is a logical subnet created through configuration of networking switches. It may be part of a larger LAN or WAN.

One benefit of VLAN is that you can get the benefits of a subnet without requiring hosts to be in physical proximity to each other, or connected to the network using the same physical technology (such as 100BaseT UTP vs. fiber). Switches and other network devices can be configured to pass data that would not normally be passed between subnets (such as broadcast packets) so that it is shared among multiple physical subnets, via a trunking protocol such as the emerging 802.1q standard, or the more secure 802.10 standard. Conversely, you can also use VLAN technology to break a single physical subnet into multiple logical subnets, reducing collisions and broadcast overhead.

An investigation into security vulnerabilities of VLANs reveals that it is not wise to assume that partitioning your network into VLANs provides the same level of protection as sub-netting it or carefully designing a routed network the directs traffic appropriately. Researchers discovered through experimentation that it is possible to get the 802.1q trunking frames to hop into a switch’s non-trunk ports and be delivered to their destination, and that it is possible to get 802.1q frames to hop from one VLAN to another if the frames are sent through a switch port attached to the native LAN of the trunk port. While an attacker requires some network knowledge (such as the MAC address of the target machine, and VLAN trunk configuration data) and access (to a switch port on the same VLAN that the trunk port is assigned to) to pull this off, it’s often not impossible, depending on the configuration of the VLAN.³³⁰

3.3.1.3  Extranet 1 3.3.3  NAT (Network Address Translation)