Security Basics mailing list archives
RE: Different terms for the same or more secure?
From: "Dino Dogan" <ddogan () navisys com>
Date: Thu, 31 Aug 2006 16:34:39 -0400
Whatever dude, you can argue anything with facts and logic....lol ;-) Dino Dogan Network Engineer NaviSys 499 Thornall Street Edison, NJ 08837-2235 www.navisys.com 732.767.3828 PH 732.635.9576 FX -----Original Message----- From: Isaac Van Name [mailto:ivanname () southerlandsleep com] Sent: Thursday, August 31, 2006 4:16 PM To: Dino Dogan Cc: security-basics () securityfocus com Subject: RE: Different terms for the same or more secure? You did good with the technical part, but your reference was flawed. That wasn't my statement. :-P If you look at the post, I was responding to a point brought up by Brian, which I must say I do not disagree with. Let the nitpicking continue... Since we're nitpicking... yes, you are correct that the broadcast is only passed if configured to do so as unicast to another broadcast domain. But, then, who said the broadcast traffic is passed as broadcast traffic? :-) To further nitpick, isn't a single result of false enough to disprove a proof? Quote below:
Routers NEVER pass broadcast traffic (unless they are configured as a bridge of course, but that doesn't count).
We'll let that one go, though, because then we'd get into a discussion about layer 3 switches and all of that. Don't want to go there. :-) With this whole string of nitpicking, I'm left wondering if the original poster is even paying attention enough to formulate an answer to his questions. :-P Isaac Van Name Network Assistant / Programmer Southerland, Inc. ivanname () southerlandsleep com -----Original Message----- From: Dino Dogan [mailto:ddogan () navisys com] Sent: Thursday, August 31, 2006 3:01 PM To: Isaac Van Name; Brian Loe Cc: security-basics () securityfocus com Subject: RE: Different terms for the same or more secure? My pet peeve. Quote From: Isaac Van Name A broadcast does not traverse a
router - unless its told to pass them (DHCP over WAN links for instance).
Since we are nitpicking, that statement is incorrect. Routers NEVER pass broadcast traffic (unless they are configured as a bridge of course, but that doesn't count). They can be told to listen for broadcast on one interface and pass unicast on the other. Proof: on cisco, when configuring the helper address, you must provide the ip address of DHCP, DNS etc. Also, drop a sniffer on your network, you'll see. BTW, this was my first "post". How did I do? lol Dino Dogan Network Engineer NaviSys 499 Thornall Street Edison, NJ 08837-2235 www.navisys.com 732.767.3828 PH 732.635.9576 FX -----Original Message----- From: Isaac Van Name [mailto:ivanname () southerlandsleep com] Sent: Thursday, August 31, 2006 10:56 AM To: Brian Loe Cc: security-basics () securityfocus com Subject: RE: Different terms for the same or more secure? Importance: Low Okay, you caught me... got my early morning rant of useless information out of the way. :-) Can't really dispute much of what was said, but I'll try anyways. B-)
I guess I meant a subnet created with a VLAN - an attempt to go along with the word choices of the original poster.
Of course. For the sake of clarity, I took it upon myself to nitpick. :-)
VLANs seperate broadcast domains only. A broadcast does not traverse
a
router - unless its told to pass them (DHCP over WAN links for instance). On a switch, each port is its own collision domain, unlike a hub.
You're right; a broadcast does not traverse a router unless explicitly told to do so. However, this statement alone does not necessarily mean that it is more accurate to say a VLAN separates broadcast domains. True, this is what you will find on any site defining a VLAN... and it is the literal definition. For the sake of understanding how a VLAN fits into the whole picture, though, I have to say it seems more accurate to say a VLAN "creates" a broadcast domain, which inherently separates itself from the broadcast domain that the switch lies on (just like a physical broadcast domain would). It's like saying that opening a new browser window separates your browser into two windows... true, but not quite how we'd think of it using generic human nature. But, of course... this is not saying anyone is wrong; this is simply arguing for the sake of an almost-inconsequential increase in accuracy. ...Nitpicking again. Oh, and you're right about the switch... I generalize an individual switch environment as a collision domain because I don't know a better way to refer to them. I'm sure someone will assist me with that dilemma.
It separates IP addresses like a subnet,
No, your subnetting (IP Addressing) scheme does that.
My turn to cater to the original poster. True, a VLAN does not subnet IP addresses because a broadcast domain doesn't, either. However, in most cases where a VLAN was used, I've seen it used just this way... to create separate "subnets" on a switch. To steal your phrase, "vlaned subnets". Not truly a subnet, but rather a broadcast domain containing a single subnet, in those cases.
Collision domains are a physical layer issue, I *believe* and has nothing to do with upper layer protocols (like VLANs).
Probably so, but I wouldn't know. This falls back on my tendency to term a switch as a single collision domain. The point I was trying to raise is that a VLAN doesn't function as a switch would, but rather as a router would. Of course, there is always a counterargument for this as a router functions on a different layer than a VLAN, right?
Trunk lines allow the switch to pass multiple VLANs across the same port. If you define a VLAN to a switch you almost always have to have a trunk line connecting that switch to a router (unless you're in a chassis with an MSFC) since, in the Cisco world anyway, you always have vlan1 and you don't want to use it for your normal traffic.
Right. No argument here. :-) Well, I'm sure there will be a rebuttal on some of this; this, however, is what makes mailing lists interesting. Just to keep on the track of reaching a conclusion for the original poster, though, I'm obligated to ask: Hylton, what else is not clear? Isaac Van Name -----Original Message----- From: Brian Loe [mailto:knobdy () gmail com] Sent: Thursday, August 31, 2006 9:23 AM To: Isaac Van Name Cc: security-basics () securityfocus com Subject: Re: Different terms for the same or more secure? On 8/31/06, Isaac Van Name <ivanname () southerlandsleep com> wrote:
If its physically subnetted then there's a router between the
subnets.
Logically seperated subnets, I suppose, would be vlaned subnets (virtual being logical - not real/physical).Right, router separates subnets because switches send packets out of a subnet into a router, and then out from there. Not really
understanding the
"vlaned subnets" phrase, though, considering the following excerpt...
I guess I meant a subnet created with a VLAN - an attempt to go along with the word choices of the original poster.
The only thing a VLAN does is break up broadcast domains. Subnets,
on
the other hand, are controlled and limited by your IP addressing scheme - and provide nothing, a router or other such device
(firewall
for instance) is divide them up.If a VLAN breaks up broadcast domains, then what is a vlaned subnet?
Not to
be picky about phrasing, but "logically separated subnets" in this
instance
would be simply "vlaned LANs". But, then we get into the whole thing
about
exactly what a VLAN does... and, it seems to me, a VLAN does not break
up
broadcast domains. A router does that. A VLAN creates a broadcast
domain
on a switch that contains a collision domain... but the VLAN is not
part of
the collision domain. What separates a switch's collision domain and
a
VLAN's broadcast domain? About 3 hops. :-P Joking... VLANs are fascinating in that they defy normal networking logic to bring you an alternative that fits situations that defy (some) networking logic.
VLANs seperate broadcast domains only. A broadcast does not traverse a router - unless its told to pass them (DHCP over WAN links for instance). On a switch, each port is its own collision domain, unlike a hub.
It separates IP addresses like a subnet,
No, your subnetting (IP Addressing) scheme does that.
but isn't a collision domain.
Collision domains are a physical layer issue, I *believe* and has nothing to do with upper layer protocols (like VLANs).
It contains its own broadcast domain, but is adjacent to a collision domain and doesn't have to get "routed" from a router to a switch to do so... because it's based off of the switch.
A VLAN
uses a trunk line to have traffic directed to it as if it's a router.
Trunk lines allow the switch to pass multiple VLANs across the same port. If you define a VLAN to a switch you almost always have to have a trunk line connecting that switch to a router (unless you're in a chassis with an MSFC) since, in the Cisco world anyway, you always have vlan1 and you don't want to use it for your normal traffic.
I can't think anymore... I need coffee. If I misrepresented any
particular
piece of information, please feel free to correct me; I learn the same
way
everyone else does.
I hear ya... ------------------------------------------------------------------------ --- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Re: Different terms for the same or more secure? Brian Loe (Sep 05)
- RE: Different terms for the same or more secure? Robert D. Holtz - Lists (Sep 05)
- <Possible follow-ups>
- RE: Different terms for the same or more secure? Dino Dogan (Sep 05)
- RE: Different terms for the same or more secure? Isaac Van Name (Sep 05)
- Re: Different terms for the same or more secure? Brian Loe (Sep 05)
- RE: Different terms for the same or more secure? Dino Dogan (Sep 05)
- Re: Different terms for the same or more secure? Hylton Conacher(ZR1HPC) (Sep 12)
- RE: Different terms for the same or more secure? David Gillett (Sep 12)
- Re: Different terms for the same or more secure? Brian Loe (Sep 13)
- Re: Different terms for the same or more secure? Hylton Conacher(ZR1HPC) (Sep 13)
- RE: Different terms for the same or more secure? David Gillett (Sep 13)
- RE: Different terms for the same or more secure? David Gillett (Sep 12)