Page 1 of 3   next page »

Security is a hot topic of the moment and as potential threats are identified and news about viruses, worms, bots, and unauthorized access abounds, a multitude of new security technologies continue to be introduced to the market.
   
The most diverse strategies can be found when securing access to a corporate LAN. All of them, however, aim at proactively preventing unauthorized access and providing the ability to react to some extent.
   
In general, the market can be divided into several segments, depending on the type of implementation: appliance-based solutions, server-based solutions, and switch-based solutions.

Due to performance, network design, redundancy, and scaling problems, the use of appliance-based solutions only makes sense in small, simple, and homogeneous network infrastructures. As these solutions must be positioned close to the security perimeter, the costs escalate relatively quickly. Because of these investments and operating costs, the number of devices in an infrastructure should, as a general rule, be kept low.
  
For these reasons, server-based or switch-based solutions are better suited to larger network infrastructures. The server solutions can be disadvantageous since they tend to support heterogeneous end-system infrastructures poorly and offer very limited efficiency (typically via DHCP or CLI switch reconfiguration, which is relatively easy to circumvent). The trend is to integrate these solutions with switch-based solutions.

While the largest number of innovations extends to end devices, in this particular area of network growth a switch-based solution proves to be much better suited than those mentioned above because:

•    It can be scaled to network growth as needed.
•    There’s no need to buy and operate separate devices.
•    The security function is available directly at the security perimeter – the access port.
•    Depending on the implementation, a heterogeneous end device structure can be supported very      well and the solution can be operated with or without a client on the end-system.

The Decision-Making Process

To select the best-suited switch series – for both wired and wireless networks – it’s necessary to consider a manufacturer’s entire security architecture. For example, does it offer a solution to all of the demands mentioned above? In making this determination, one must look at the functional modules of a secure switch infrastructure and analyze each implementation in detail. The four most important functional modules IT staffs should keep in mind are:

1. Authentication and policy management
2. Proactive quarantine options
3. Intrusion detection
4. Reactive quarantine options

In addition to this step, there are the traditional decision-making criteria such as general, secure (SNMPv3, SSL, SSHv2) manageability and integration into a network management system (not only monitoring); DoS (Denial of Service); the switch’s ability to work under pressure; flexibility in the connectivity options (10/100, 10/100/1000 Ethernet 100FX, 10 Gbase-X, etc.); standards compliance; open interfaces, service, and investment costs. Port densities and performance, however, should have less of a focus. What good is the fastest network if all the connected systems are infected with a worm and can’t operate?

Authentication & Policy Management

The ability to authenticate several users or devices at a single port simultaneously and assign them different policies is an important issue. Having this ability is a decisive factor, especially in Voice over IP (VoIP) environments where a PC is connected behind an IP phone, as well as in migrations, where not all access switches can be exchanged simultaneously. The same is true in the use of Fibre in the office: the cable duct or other mini-switches migrate to copper and lose their ability to authenticate – at least without considerable financial and administrational efforts. It’s also important to remember that the access switch must support different authentication methods directly at every port. Examples include:

•    802.1x for corporate PCs and laptops, as well as future IP phones
•    MAC address for printers, IP phones, and other machines on the network (security cameras,
     production controls, sensors, etc.)
•    Web portal for guests, consultants, service technicians
•    Automatic detection of end-systems based on the traffic structure
•    Default settings, e.g.. for TFTP/Bootp to boot diskless stations or activate the Wake on LAN               
     function

Ideally, a switch must support all methods simultaneously per port so as not to increase the administration efforts unnecessarily. If not, every move will require that the authentication method be adjusted.

If several users/devices authenticate at a port simultaneously, we have to assume that the port must also have different group rules depending on the user and the device. The PC, for example, must be assigned different rules than the IP phone at the same port. A guest must be assigned different rules than a company employee, etc.

The different authentication methods should run on any radius server, and this applies to all methods. Please see the Figure 1.

Figure 1

Page 1 of 3   next page »