The first issue is the shared-media nature of legacy
networks. Whenever a station transmits in a shared network such
as a legacy half-duplex 10BASE-T system, all stations attached to the
segment receive a copy of the frame, even if they are not the intended
recipients. This does not prevent the network from functioning. There
are, however, readily available software packages that monitor network traffic.
Anyone with such a package
can capture passwords, sensitive e-mail, and any other traffic on the
network.
If the users on the network belong to the same
department, this might not be disastrous, but when users from mixed
departments share a segment, undesirable information captures can occur.
If someone from human resources or accounting sends sensitive data such
as salaries, stock options, or health records on the shared network,
anyone with a network monitoring package can decode the information.
Neither of these scenarios is constrained to a single
segment. These problems can occur in multisegment environments
interconnected with routers. In Figure
,
the accounting department resides on two isolated segments. For users on
one segment to transmit to users on the other segment, the frames must
cross the engineering network. When they cross the engineering segment,
it is possible that they can be intercepted and misused.
One way to eliminate the problem is to move all
accounting users onto the same segment. However, this is not always
possible because there might be space limitations that prevent all
accountants from sharing a common part of the building. Another reason
may deal with the geographical makeup of the company - users on one
segment might be a considerable distance from users on the other
segment.
Another approach is through the use of VLANs, which
enable you to contain all process-related users in the same broadcast
domain and isolate them from users in other broadcast domains. You can
assign all accounting users to the same VLAN, regardless of their
physical location in the facility. You no longer have to place them in a
network based upon their location. You can assign users to a VLAN based
upon their job function. Keep all the accounting users on one VLAN, the
marketing users on another VLAN, and engineering in yet a third.
By creating VLANs with switched network devices, you
create another level of protection. Switches bridge traffic within a
VLAN. When a station transmits, the frame goes to the intended
destination. As long as it is a known unicast frame, the switch does not
distribute the frame to all users in the VLAN
.
Station A in Figure
transmits a frame to Station B attached to another Catalyst® Switch.
Although the frame crosses through a Catalyst Switch, only the
destination receives a copy of the frame. The switch filters the frame
from the other stations, whether they belong to a different VLAN or the
same VLAN. This switch feature limits the opportunity for someone to
capture packets with a network analyzer.
Although these security methods may seem like
overkill, in the corporate network they are crucial. Consider the data
transferred among the accounting department. This department has salary
information, stock-option information, personal information, and other
sensitive and personal material. It is very important to protect the
privacy of the users and the integrity of the data. As you can see,
VLANs greatly assist in this endeavor.