If you’re planning to take the Security+ exam, you should have a basic understanding of network design elements and components that includes configuring online virtual servers so that they can communicate with other virtual and physical systems on the network.
See if you can answer this sample Security+ question.
Q. Your company is planning on implementing a policy for users so that they can connect their mobile devices to the network. However, management wants to restrict network access for these devices. They should have Internet access and be able to access some internal servers, but management wants to ensure that they do not have access to the primary network where company-owned devices operate. Which of the following will BEST meet this goal?
A. WPA2 Enterprise
B. VPN
C. GPS
D. VLAN
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
VLAN
A virtual local area network (VLAN) uses a switch to group several different computers into a virtual network. You can group the computers together based on departments, job function, or any other administrative need. This provides security because you’re able to isolate the traffic between the computers in the VLAN.
Normally, a router would group different computers onto different subnets, based on physical locations. All the computers in a routed segment are located in the same physical location, such as on a specific floor or wing of a building.
However, a single switch can create multiple VLANs to separate the computers based on logical needs rather than physical location. Additionally, administrators can easily reconfigure the switch to add or subtract computers from any VLAN if the need arises.
For example, a group of users who normally work in separate departments may begin work on a project that requires them to be on the same subnet. You can configure a switch to logically group these workers together, even if the computers are physically located on different floors or different wings of the building. When the project is over, you can simply reconfigure the switch to return the network to its original configuration.
Similarly, you can use a single switch with multiple VLANs to separate users. For example, if you want to separate the traffic between the HR department and the IT department, you can use a single switch with two VLANs. The VLANs logically separate all the computers between the two different departments, even if the computers are located close to each other.
Remember this
You can create multiple VLANs with a single switch. A VLAN can logically group several different computers together, or logically separate computers, without regard to their physical location.
Virtual Servers Communication
Organizations usually configure online virtual servers so that they can communicate with other virtual and physical systems on the network. They use virtual network interface cards (NICs), virtual switches, and virtual networks for connectivity. These are all contained within the physical host.
Both Microsoft and VMware support the use of virtual local area networks (VLANs) with virtual switches. Just as you can use VLANs to segment traffic on a physical network, you can also use VLANs to segment traffic on a virtual network.
However, it’s also possible to configure the virtual systems so that they are completely isolated. For example, you can isolate a virtual server so that it can’t communicate with any other virtual or physical systems. In this way, it works just like a single system without a NIC. You can also group several virtual servers in their own virtual network so that they can communicate with each other but are isolated from hosts on the physical network.
Many security professionals use virtual systems and virtual networks to test and investigate malware. Malware released in an isolated environment presents minimal risk to the hardware and host operating system. Unfortunately, some malware is able to detect that it is running in a virtual environment. In some cases, malware developers have written code to change the behavior of the malware when it discovers it is running in a virtual environment.
Remember this
Virtual local area networks (VLANs) separate or segment traffic on physical networks. You can also create VLANs using virtual switches within a virtual environment hosted on a physical server.
Q. Your company is planning on implementing a policy for users so that they can connect their mobile devices to the network. However, management wants to restrict network access for these devices. They should have Internet access and be able to access some internal servers, but management wants to ensure that they do not have access to the primary network where company-owned devices operate. Which of the following will BEST meet this goal?
A. WPA2 Enterprise
B. VPN
C. GPS
D. VLAN
Answer is D. A virtual local area network (VLAN) provides network segmentation and can prevent employee owned devices from accessing the primary network.
WPA2 Enterprise provides strong security for the devices by ensuring they authenticate through an 802.1x server, but this doesn’t segment them on a separate network.
A virtual private network (VPN) allows remote employees to connect to a private network, but is unrelated to this question.
A global positioning system (GPS) is useful for locating lost devices but not segmenting network traffic.