A Core Competence Product Evaluation
Security
The Port Switch Hub 40 supports several very attractive MAC level security
features. These are accessed through the Port Configuration window (see
Switch Management),
from the Security icon:
Through this window, a network administrator can identify MAC address(es) of
equipment that may be connected to (in this case) Unit 1, Port 1. This
list is used in conjunction with the Disconnect Unknown Device and
Need to Know features.
Disconnect Unknown Device settings affect learning and access restrictions
for a port. The most restrictive control setting (illustrated) is Full Security
with Disable on Intrusion, which will check that the source address of
every frame received over this port matches the Authorized Address: if the
check fails, an alarm will be issued, and the port will be disabled to prevent any
further communication.
Need to Know is a complementary feature. To appreciate NTK, it's important
to understand that when an Ethernet frame is transmitted over a LAN segment,
it is "available" for any end station attached to the LAN to examine. Under
normal operating circumstances, an end station examines a unicast frame, determines whether
the destination MAC address is its own address, reads those that match, and ignores
those that do not. However, Ethernet NICs can be made to operate in what is
called "promiscuous" mode, and in this mode a station will read every packet. This
is the method by which LAN analyzers collect frames for diagnostics purposes, but
it is also the means by which intruders can collect frames and search them for
sensitive data such as cleartext passwords, or confidential frame content.
When Need to Know is enabled on a port, the hub examines the destination address
of every frame transmitted over a LAN segment before it forwards the frame
to an end station. If the destination address matches any of
the Authorised Addresses for that port, the frame is delivered without modification, but
if no match is found, the frame is scrambled before it is forwarded so it cannot be read.
In our opinion, the ability to prevent authorized participation in,
and unauthorized listening
on one's VLAN is an extremely valuable feature for organizations deploying
virtual LANs to compartmentalize traffic
(see Roles for Port Switch Hubs).
Other security features on the Port Switch Hub are more mundane, and include the ability
to specify multiple levels of SNMP and administrative (console/Telnet) access controls.
In both cases, a clear text user code and password (community string) are used.
