Implement switch security on your network

Switch security involves challenges. Take a look at how you can ensure switch security in your organization.

When it comes to securing internal networks, one area that organizations often overlook is switch security. Most companies tend to focus on their borders and end users, forgetting the devices that connect the two.

Ensuring switch security in your organization basically comes down to two steps: Defining what users can see, and defining what they can connect.

What you see

Every business-grade switch allows you to define virtual local area networks (VLANs). Organizations typically implement VLANs for the following reasons:

  • Broadcasts: A VLAN doesn't pass broadcast traffic to nodes that aren't part of the VLAN.
  • Performance: A VLAN can reduce the number of router hops and extend your local topology between user workstations and resource servers, increasing the apparent bandwidth for network users.
  • Departments: A VLAN can segment departments that use bandwidth-intense applications. You can also dedicate a VLAN to specific types of job roles (e.g., executives, kiosk workstations, etc.).
  • Security: A VLAN allows organizations to separate sensitive clusters of systems from the rest of the network, decreasing the likelihood that users will gain access to information on these clients and servers.

What you connect

Port security is also available on every business-class switch. Some switches allow very in-depth settings; others just provide some of the basics. Here's a look at some of your options:

  • MAC Locking: This involves tying a Media Access Control (MAC) address of one or more connected devices to a physical port on a switch. If you lock a switch port to a particular MAC address, you don't have to worry about superusers or internal black hats creating backdoors into your network with rogue access points.
  • MAC Lockout: This disables a specified MAC address from ever connecting to a switch.
  • MAC Learning: Using knowledge about each switch port's direct connections, the switch can set security based on current connections.
  • Remote Configuration: Limit remote configuration to specific IP addresses, using SSH instead of Telnet. Telnet passes usernames and passwords in clear text, potentially allowing everyone on the LAN segment to see login credentials.

Final thoughts

Switch security does involve challenges, particularly when it comes to setting up and deploying new workstations in your help desk area. This is definitely an issue you should consider when implementing a switch security policy.

Network administrators who balk at port security because it's labor-intensive and requires constant management should consider this: Port security stops people from attaching wireless access points and bypassing your site security. That alone should be a good enough reason to implement switch security on your network today.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

Editor's Picks

Free Newsletters, In your Inbox