topic How to secure uplink ports in ExtremeSwitching (Other)

How to secure uplink ports

Michael_Kirchne — Tue, 25 Feb 2014 21:38:00 GMT

Dear community,

I have a current challange in securing the uplinks. My D2 is connected to a Uplink B5. The B5 port is configured with a untagged vlan. An attacker may disconnect the D2 and gets full network access because no policy is enforced (Policies are enforced on the D2).

I have NAC implemented in the network, but not on the Uplink ports.

Is there a possibility to recognize the D2? And if no ETS Switch is recognized block the port?

From the NAC perspective I don't see any chance to solve this problem.

#########################
# Uplink| x#-----
# B5 |x# |
######################### |
|
|
|
#############
#x| #
#x| D2 #
#############

Hope you can help me out.

Best Regards,
Michael

RE: How to secure uplink ports

Scott_Keene — Tue, 25 Feb 2014 22:40:00 GMT

Hi Michael,

General uplink ports will not have policies or authentication enabled since the ports are not access ports.

Can you describe in more detail what you mean by “Is there a possibility to recognize the D2? And if no ETS Switch is recognized block the port?”

Scott Keene

GTAC Support

RE: How to secure uplink ports

Jason_Parker — Tue, 25 Feb 2014 22:42:00 GMT

Please set up tagging for all VLAN's and this will prevent a PC(unless they have a tagged NIC) from connecting
Jason

RE: How to secure uplink ports

Michael_Kirchne — Wed, 26 Feb 2014 15:42:00 GMT

Hi and thanks for the real quick reply.

@Jason: That was my first Action Item, too. But tagging the packets is no big deal.

@Scott: I mean it could be possible to detect a ETS Switch and force the uplink port to allow only a (ETS) switch and no other client. Even if this would be no "real" authentication it would be harder to spoof than tagging packets.

The best would be to realize point-to-point Authentication. Could IEEE 802.AE help here out? Are there any plans for implement p2p Authentication?

Best Regards,
Michael