Page 896 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 896

A virtual local area network (VLAN) is a hardware-imposed network
               segmentation created by switches. By default, all ports on a switch are

               part of VLAN 1. But as the switch administrator changes the VLAN
               assignment on a port-by-port basis, various ports can be grouped
               together and kept distinct from other VLAN port designations. VLANs
               can also be assigned or created based on device MAC address,
               mirroring the IP subnetting, around specified protocols, or based on
               authentication. VLAN management is most commonly used to
               distinguish between user traffic and management traffic. And VLAN 1

               very typically is the designated management traffic VLAN.

               VLANs are used for traffic management. Communications between
               members of the same VLAN occur without hindrance, but
               communications between VLANs require a routing function, which
               can be provided either by an external router or by the switch’s internal
               software (one reason for the terms L3 switch and multilayer switch).
               VLANs are treated like subnets but aren’t subnets. VLANs are created

               by switches. Subnets are created by IP address and subnet mask
               assignments.

               VLAN management is the use of VLANs to control traffic for security
               or performance reasons. VLANs can be used to isolate traffic between
               network segments. This can be accomplished by not defining a route
               between different VLANs or by specifying a deny filter between certain

               VLANs (or certain members of a VLAN). Any network segment that
               doesn’t need to communicate with another in order to accomplish a
               work task/function shouldn’t be able to do so. Use VLANs to allow
               what is necessary and to block/deny anything that isn’t necessary.
               Remember, “deny by default; allow by exception” isn’t a guideline just
               for firewall rules but for security in general.

               VLANs function in much the same way as traditional subnets. For

               communications to travel from one VLAN to another, the switch
               performs routing functions to control and filter traffic between its
               VLANs.

               VLANs are used to segment a network logically without altering its
               physical topology. They are easy to implement, have little
               administrative overhead, and are a hardware-based solution
   891   892   893   894   895   896   897   898   899   900   901