ExtremeSwitching (Other)

 View Only
  • 1.  How to secure uplink ports

    Posted 02-25-2014 13:38
    Dear community,

    I have a current challange in securing the uplinks. My D2 is connected to a Uplink B5. The B5 port is configured with a untagged vlan. An attacker may disconnect the D2 and gets full network access because no policy is enforced (Policies are enforced on the D2).

    I have NAC implemented in the network, but not on the Uplink ports.

    Is there a possibility to recognize the D2? And if no ETS Switch is recognized block the port?

    From the NAC perspective I don't see any chance to solve this problem.

    #########################
    # Uplink| x#-----
    # B5 |x# |
    ######################### |
    |
    |
    |
    #############
    #x| #
    #x| D2 #
    #############

    Hope you can help me out.

    Best Regards,
    Michael



  • 2.  RE: How to secure uplink ports

    Posted 02-25-2014 14:40
    Hi Michael,



    General uplink ports will not have policies or authentication enabled since the ports are not access ports.

    Can you describe in more detail what you mean by “Is there a possibility to recognize the D2? And if no ETS Switch is recognized block the port?”

    Scott Keene

    GTAC Support



  • 3.  RE: How to secure uplink ports

    Posted 02-25-2014 14:42
    Please set up tagging for all VLAN's and this will prevent a PC(unless they have a tagged NIC) from connecting
    Jason


  • 4.  RE: How to secure uplink ports

    Posted 02-26-2014 07:42
    Hi and thanks for the real quick reply.

    @Jason: That was my first Action Item, too. But tagging the packets is no big deal.

    @Scott: I mean it could be possible to detect a ETS Switch and force the uplink port to allow only a (ETS) switch and no other client. Even if this would be no "real" authentication it would be harder to spoof than tagging packets.

    The best would be to realize point-to-point Authentication. Could IEEE 802.AE help here out? Are there any plans for implement p2p Authentication?

    Best Regards,
    Michael


  • 5.  RE: How to secure uplink ports

    Posted 02-26-2014 14:22
    You could perhaps mark all traffic with a particular CoS, and then drop all traffic on the B5 port that doesn't match that CoS. Again, the attacker could circumvent this if they knew about it.

    The B5 only supports 4 users per port, so you couldn't just do authentication on this, given the D2 has 12 ports. You almost want an 802.1x supplicant on the switch talking on the uplink port, but I don't think anything like that exists.