Skip to content

Page214

Port Isolation

The concept of port isolation is not new but has been revitalized and more commonly employed with the increasing density of virtualized systems in datacenters. Traditional port isolation focused on using software in a managed switch to isolate a port such that it could only communicate to the designated uplink. This port isolation, also commonly referred to as a Private VLAN or PVLAN, can be used to ensure that individual systems cannot interact with other resources even if logically on the same subnet. From a security standpoint this could severely limit the ability of an adversary to pivot or move laterally within an organization after successfully compromising a system.

Architecturally, implementing widespread traditional port isolation/PVLANs has seemed to prove cumbersome for many organizations. However, with heavily virtualized infrastructures, port isolation has found a resurgence. Port isolation can prove tremendously useful in multi-tenant environments to help ensure isolation amongst customers being serviced by the same hypervisor. Likewise, even in internal virtual infrastructures, there are often systems that have no need of direct access to one another but are fronted by the same hypervisor. Port isolation can help to ensure logical segmentation even within a single vswitch (virtual switch).

SPAN Ports

Since switches provide traffic isolation, a Network Intrusion Detection System (NIDS) connected to a 24-port switch will not see unicast traffic sent to and from other devices on the same switch. Configuring a Switched Port Analyzer (SPAN) port is one way to solve this problem, by mirroring traffic from multiple switch ports to one “SPAN port.” SPAN is a Cisco term; HP switches use the term “Mirror port.”

One drawback to using a switch SPAN port is port bandwidth overload. A 100-megabit, 24-port switch can mirror twenty-three 100-megabit streams of traffic to a 100-megabit SPAN port. The aggregate traffic could easily exceed 100 megabits, meaning the SPAN port (and connected NIDS) will miss traffic.

Network Taps

A network tap provides a way to “tap” into network traffic and see all traffic (including all unicast connections) on a network. Taps are the preferred way to provide promiscuous network access to a sniffer or Network Intrusion Detection System.

Taps can “fail open,” so that network traffic will pass in the event of a failure. Taps can also provide access to all traffic, including malformed Ethernet frames. A switch will often “clean” that traffic and not pass it. Finally, Taps can be purchased with memory buffers, which cache traffic bursts.

Routers

Routers are Layer 3 devices that route traffic from one LAN to another. IP-based routers make routing decisions based on the source and destination IP addresses.

Note: In the real world, one chassis, such as a Cisco 6500, can be many devices at once: a router, a switch, a firewall, a NIDS, etc. The exam is likely to give more clear-cut examples: a dedicated firewall, a dedicated switch, etc. If the exam references a multifunction device, that will be made clear. Regardless, it is helpful on the exam to think of these devices as distinct concepts.