Figure 2.5: Two VLANs dividing a private LAN
Are parts of the network of Figure 2.5 worth protecting so as not to allow access by everybody? Every-
body on the network should be able to print using the printer. But should everybody be able to access
the printer itself. Such access allows hanging of the printers address. Change that and the printer is no
longer a resource available to everybody. The netwok interface of the printer is not even password pro-
tected. The NAS is the storage on the network. In contrast to the printer, it’s web interface is password
protected. However, if an unwarranted person was to access this device they might delete, overwrite,
or take a copy files which are important, personal, or secret. There is a case for protecting such devices
on this network.
The switch can provide protection to devices network connected to it.
2.6.1 Security designed to give specific devices access to given devices
The secturity/protection design aim for the network of Figure 2.5 was:
• PC 1 only was allowed access to the NAS, and
• PC 2 only was allowed access to the printer.
The specific hardware devices PC 1, PC 2, the NAS, and the printer. Although each device has a given
IP address, each such address could be changed resulting in the corresponding rule would no longer
operating. A more secure approach was to use the hardware address (MAC address) of each device.
The MAC addresses of the devices and port on the switch are given in Table 2.3, having been taken from
Table 1.2.
Table 2.3: Addresses needed to implement the required MAC address security
Port Device MAC address
g1 printer d0:bf:9c:bd:4b:4d
g2 NAS 28:c6:8e:d5:ed:08
g7 PC 2 00:3e:e1:c1:74:b3
g19 PC 1 c8:2a:14:56:3c:a2
2.6.2 Aspects common to each implementation alternative
Two alternate routes to implementing the security design were followed. There are, however, common
threads.
16
To Next Page
Loading...
