General discussion


Implement switch security on your network

By debate ·
Has your organization implemented switch security on its network? If not, are you planning to? If so, which features have worked best for your environment? What security features would you like to see on a switch? Share your comments about implementing switch security in your organization, as discussed in the Dec. 3 Security Solutions newsletter.

If you haven't subscribed to our free Security Solutions newsletter, sign up today! Click this link to subscribe automatically:

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Good article except the MAC bit

by the_integrator In reply to Implement switch security ...

Anyone relying on MAC address for security needs to understand that this is useless. A second network card in the PC and it becomes a router, MAC addresses can be spoofed just as easily as IP addresses and it really adds support overhead for no tangible benefit.

Collapse -

Still finding perfect solution

by sandesh.govalkar In reply to Good article except the M ...

I am still looking for the solution. I am lookingout for the LAN Security solution whereas anyone connecting to the switch port should get authenticated first or after the domain authentication. users/visitors can login locally into the pc/laptop and have access to the server,other pc's, printers, switches through the IP. how can i stop them? we use high end managable switches but still cant have perfect seurity. i am thinking to use radius for the port level authentication.

Collapse -

but still...

by cgrau In reply to Good article except the M ...

I liked the article.

Switch security is an afterthought many times. The article brings attention back to this point.

I agree with your comments about MAC addresses, but the article mentions two other methods for switch security.

Collapse -

MAC address not useless

by Mike Mullins In reply to Good article except the M ...

This tip is not a cureall fix, it's meant to be implemented as part of your total security policy. No one flip of a switch is going to secure your network.

If someone is aggressive enough to implement port security, their workstations are locked down and a user couldn't install a second NIC.

You can't stop someone from changing the MAC address of a personal machine and connecting it to the network. But when you catch someone doing this, they've gone way beyond a warning and you can fire them immediately for taking extraordinary steps to by pass security.

As for the support overhead, I agree it's a pain to setup. But maintaining it is just another price of adding an additional layer of security to your network.

Related Discussions

Related Forums