How to secure uplink ports
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-25-2014 01:38 PM
Dear community,
I have a current challange in securing the uplinks. My D2 is connected to a Uplink B5. The B5 port is configured with a untagged vlan. An attacker may disconnect the D2 and gets full network access because no policy is enforced (Policies are enforced on the D2).
I have NAC implemented in the network, but not on the Uplink ports.
Is there a possibility to recognize the D2? And if no ETS Switch is recognized block the port?
From the NAC perspective I don't see any chance to solve this problem.
#########################
# Uplink| x#-----
# B5 |x# |
######################### |
|
|
|
#############
#x| #
#x| D2 #
#############
Hope you can help me out.
Best Regards,
Michael
I have a current challange in securing the uplinks. My D2 is connected to a Uplink B5. The B5 port is configured with a untagged vlan. An attacker may disconnect the D2 and gets full network access because no policy is enforced (Policies are enforced on the D2).
I have NAC implemented in the network, but not on the Uplink ports.
Is there a possibility to recognize the D2? And if no ETS Switch is recognized block the port?
From the NAC perspective I don't see any chance to solve this problem.
#########################
# Uplink| x#-----
# B5 |x# |
######################### |
|
|
|
#############
#x| #
#x| D2 #
#############
Hope you can help me out.
Best Regards,
Michael
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-26-2014 07:42 AM
Hi and thanks for the real quick reply.
@Jason: That was my first Action Item, too. But tagging the packets is no big deal.
@Scott: I mean it could be possible to detect a ETS Switch and force the uplink port to allow only a (ETS) switch and no other client. Even if this would be no "real" authentication it would be harder to spoof than tagging packets.
The best would be to realize point-to-point Authentication. Could IEEE 802.AE help here out? Are there any plans for implement p2p Authentication?
Best Regards,
Michael
@Jason: That was my first Action Item, too. But tagging the packets is no big deal.
@Scott: I mean it could be possible to detect a ETS Switch and force the uplink port to allow only a (ETS) switch and no other client. Even if this would be no "real" authentication it would be harder to spoof than tagging packets.
The best would be to realize point-to-point Authentication. Could IEEE 802.AE help here out? Are there any plans for implement p2p Authentication?
Best Regards,
Michael
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-25-2014 02:42 PM
Please set up tagging for all VLAN's and this will prevent a PC(unless they have a tagged NIC) from connecting
Jason
Jason
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-25-2014 02:40 PM
Hi Michael,
General uplink ports will not have policies or authentication enabled since the ports are not access ports.
Can you describe in more detail what you mean by “Is there a possibility to recognize the D2? And if no ETS Switch is recognized block the port?”
Scott Keene
GTAC Support
General uplink ports will not have policies or authentication enabled since the ports are not access ports.
Can you describe in more detail what you mean by “Is there a possibility to recognize the D2? And if no ETS Switch is recognized block the port?”
Scott Keene
GTAC Support
