When it comes to securing internal networks,
one area that organizations often overlook is switch security. Most
companies tend to focus on their borders and end users, forgetting
the devices that connect the two.
Ensuring switch security in your organization
basically comes down to two steps: Defining what users can see, and
defining what they can connect.
What you see
Every business-grade switch allows you to
define virtual local area networks (VLANs). Organizations typically
implement VLANs for the following reasons:
Broadcasts: A VLAN doesn't
pass broadcast traffic to nodes that aren't part of the VLAN.
Performance: A VLAN can
reduce the number of router hops and extend your local topology
between user workstations and resource servers, increasing the
apparent bandwidth for network users.
Departments: A VLAN can
segment departments that use bandwidth-intense applications. You
can also dedicate a VLAN to specific types of job roles (e.g.,
executives, kiosk workstations, etc.).
Security: A VLAN allows
organizations to separate sensitive clusters of systems from the
rest of the network, decreasing the likelihood that users will gain
access to information on these clients and servers.
What you connect
Port security is also available on every
business-class switch. Some switches allow very in-depth settings;
others just provide some of the basics. Here's a look at some of
Locking: This involves tying a Media Access Control (MAC)
address of one or more connected devices to a physical port on a
switch. If you lock a switch port to a particular MAC address, you
don't have to worry about superusers or internal black hats
creating backdoors into your network with rogue access points.
Lockout: This disables a specified MAC address from ever
connecting to a switch.
Learning: Using knowledge about each switch port's direct
connections, the switch can set security based on current
Configuration: Limit remote configuration to specific IP
addresses, using SSH instead of Telnet. Telnet passes usernames and
passwords in clear text, potentially allowing everyone on the LAN
segment to see login credentials.
Switch security does involve challenges,
particularly when it comes to setting up and deploying new
workstations in your help desk area. This is definitely an issue
you should consider when implementing a switch security policy.
Network administrators who balk at port
security because it's labor-intensive and requires constant
management should consider this: Port security stops people from
attaching wireless access points and bypassing your site security.
That alone should be a good enough reason to implement switch
security on your network today.
Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.