Product Evaluation

Product Overviews

Roles for the Desktop Switch and Switch 1000

Benefits of switching over bridging

Virtual LAN support

Switch Management

Security

Economics

Conclusions

A Core Competence Product Evaluation

Security

We considered two aspects of security in our evaluation: management and transmission/media access. For management security, access to the Desktop Switch and Switch 1000 using a VT100 console and Telnet interface is protected using a static username and password. Four access control levels are supported. Users are automatically logged out after 3 minutes of inactivity. An auto log out facility displays the user name and only requires the password to be re-entered. We think the effectiveness of user authentication would be improved if neither the user name nor the password were displayed.

Consistent with the state of SNMP security, user authentication is provided in the form of clear text community strings for read and write operations, and the switch can be configured with a list of trap hosts. An audit log of management user sessions records the most recent changes to MIB objects. The log is limited in size (16 records for the Desktop Switch, 40 for the Switch 1000), and oldest records are overwritten first. We would like to see a larger log: unless the log is accessed frequently, it is possible for an intruder to erase the record of actual configuration changes by first introducing changes he desires, then "padding" these with dummy changes to the extent necessary to overwrite the oldest records.

With respect transmission and media access security, we considered traffic controls and port security. With the Desktop Switch and Switch 1000, end stations in a given VLAN can only communicate with other end stations in that same VLAN unless a router is used to interconnect VLANs. Unused ports - for example, a port that is terminated in an RJ-45 jack in an unoccupied office or conference room - can be disabled to prevent unauthorized access. This has the effect of setting the port to the "down" administrative state (see the ifAdminStatus of port 6 in the ifStatus snapshot in the section, Switch Management).

We have already described how several VLANs can be interconnected using backbone ports connected to routers for the purpose of filtering or segregating traffic. The Desktop Switch and Switch 1000 can also be configured to "latch down" on a specific MAC address; once an address is learned on a "security-enabled" port, any station attached to this port and having a different MAC address will be unable to transmit packets, and an alarm (trap) will be generated if an attempt such as this is made.

next...

Want to know more about VLANs