Switching Lanes - Information Security Magazine


	Home > Information Security Magazine > Features > Switching Lanes

LICENSING & REPRINTS

Information Security Magazine

FEATURES

COLUMNS

HOT PICK & PRODUCT REVIEWS

ARCHIVES

SUBSCRIBE/RENEW

Switching Lanes

by Joel Snyder

Issue: Aug 2005


		printer-friendly

		licensing & reprints

< PREV PAGE | 1 | 2 | 3 | NEXT PAGE >



				Plane Language



				The terms "control plane" and "data plane" are commonly used in the world of networking, but may not be as familiar to infosecurity experts. Fundamentally, the signals that control the flows and behaviors of your network don't use the same path as the packets themselves. In all large networks, such as the public-switched telephone network, there is a distinction between the part of the network that moves the packets, or calls, and the part of the network that controls everything else. The data plane is where all the data is located, while the control plane is used to direct the oper-ation, management and maintenance of the network. In some networks, a further distinction is made between the control plane, used for routing and call control, and a management plane, used for network management. In the world of enterprise IP networks, it's unusual to break routing and data into separate paths because of the way IP routing works. However, it's common to separate network management into a completely separate path, possibly even using different cabling and topology. Anyone who has attempted to diagnose and repair a network where the routing has broken down will appreciate the benefits of separating control and data planes. --JOEL SNYDER

A New Target
The real VLAN threats aren't from layer 2 (data link) attacks (see "Common VLAN Attacks," above), but from attacks on the control plane of the network. In effect, when a VLAN-capable switch is used as a security barrier, it becomes the "weak link" in your security infrastructure. Why would an attacker assail a hardened firewall appliance configured with security as its primary goal when he could attack a VLAN switch?

Switches aren't designed the same way as firewalls, and are likely to have more vulnerabilities and less security testing. Thus, as a class, they tend to fall to a dedicated attacker faster and with less effort than a firewall. Switches provide hackers with multiple avenues of attack. A network might have one or two firewalls between two security zones, but there may be dozens of VLAN-capable switches. And, it only takes one misconfigured device to open a hole between secure and insecure parts of your network.

A network may have one or two firewalls between security zones. But, there may be dozens or even hundreds of VLAN-capable switches crossing floors and buildings in your organization.

There's also a philosophical difference in most network teams. While firewalls are obviously seen as security barriers and treated with appropriate gravity, switches are often considered less important. Network teams aren't accustomed to treating each switch as if it were the most important firewall in the entire network--which is exactly what switches can become when you use them in a VLAN environment.

< PREV PAGE | 1 | 2 | 3 | NEXT PAGE >

TechTarget Security Media

Information Security

View this month\\'s issue and subscribe today.

Information Security Decisions

Apply online for free conference admission.

SearchSecurity.com

SEARCH :

Site Index

Powered by:

About Us | Contact Us | For Advertisers | For Business Partners | Site Index | RSS

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.


TechTarget Corporate Web Site \| Media Kits \| Reprints \| Site Map All Rights Reserved, Copyright 2003 - 2008, TechTarget \| Read our Privacy Policy