11.1 Tunneling for Functionality

Network tunneling generally refers to the practice of encapsulating traffic in unusual ways, different from the order described by standard layered models such as the OSI model. Often, network tunnels are developed by network engineers seeking to create more effective communications channels. As old equipment, software, and protocols become outdated or simply fail to meet organizational needs, network engineers must find creative ways to expand their functionality. In this section, we examine common tunnels used for legitimate purposes and discuss their effect on forensic investigations.

11.1.1 Background: VLAN Trunking

Trunking VLANs over a WAN is one of the simplest and most common examples of tunneling that forensic analysts encounter. Often, network engineers would like to partition the network traffic for various groups of users without having to create multiple physical networks for each of them. They accomplish this on a LAN by deploying “smart switches” that support the 802.1Q protocol, which can be programmed to aggregate the appropriate stations into the desired VLAN. “Trunking” is a general term used in telecommunications to describe the case when circuits or cables are aggregated for transport from one point to another.