Tuesday, February 17, 2009

More advanced networks

Simple switched Ethernet networks, while an improvement over hub based Ethernet, suffer from a number of issues:

· They suffer from single points of failure. If any link fails some devices will be unable to communicate with other devices and if the link that fails is in a central location lots of users can be cut off from the resources they require.
· It is possible to trick switches or hosts into sending data to your machine even if it's not intended for it, as indicated above.
· Large amounts of broadcast traffic, whether malicious, accidental, or simply a side effect of network size can flood slower links and/or systems.
· It is possible for any host to flood the network with broadcast traffic forming a denial of service attack against any hosts that run at the same or lower speed as the attacking device.
· As the network grows, normal broadcast traffic takes up an ever greater amount of bandwidth.
· If switches are not multicast aware, multicast traffic will end up treated like broadcast traffic due to being directed at a MAC with no associated port.
· If switches discover more MAC addresses than they can store (either through network size or through an attack) some addresses must inevitably be dropped and traffic to those addresses will be treated the same way as traffic to unknown addresses, that is essentially the same as broadcast traffic (this issue is known as failopen).
· They suffer from bandwidth choke points where a lot of traffic is forced down a single link.

Some switches offer a variety of tools to combat these issues including:

· Spanning-tree protocol to maintain the active links of the network as a tree while allowing physical loops for redundancy.
· Various port protection features, as it is far more likely an attacker will be on an end system port than on a switch-switch link.
· VLANs to keep different classes of users separate while using the same physical infrastructure.
· Fast routing at higher levels to route between those VLANs.
· Link aggregation to add bandwidth to overloaded links and to provide some measure of redundancy, although the links won't protect against switch failure because they connect the same pair of switches.

No comments: