Network security support
3.5
Measures to secure the network infrastructure
47
UM Security BRS-2A
Release
8.7
05/2022
3.5 Measures to secure the network infrastructure
The collection of suggested measures can be used for hardening and for defense in depth. Pick the
measures suitable for defense in depth first. Then complement them by selecting from the
remaining hardening possibilities.
To help you secure your network infrastructure, perform the following steps on the respective
devices as needed:
Restrict logical access to your network (see on page 48 “Restrict logical access to your
network”):
– Configure a dedicated management VLAN. If you use certain redundancy protocols, use only
VLAN IDs ≥2 for payload traffic and device management (see on page 21 “VLAN plan
considerations depending on redundancy protocols”).
– Configure VLAN segregation
– Disable GVRP and MVRP
– Configure Port Security
– Configure ACLs
Secure the network protocols used (see on page 49 “Secure the network protocols used”):
– Disable GMRP and MMRP
Secure the redundancy protocols used (see on page 50 “Secure the redundancy protocols
used”):
– Configure RSTP guards and helper protocols
– Configure MRP (MRP VLAN ID ≥2, tagged packets)
– Configure HIPER Ring (VLAN ID 1: tagged packets)
– Configure Ring/Network Coupling (VLAN ID 1: tagged packets)
Configure attack protection functions
– Configure Denial of Service (DoS) protection (see on page 51 “Configure Denial of Service
(DoS) protection”)
– Configure rate limiters (see on page 51 “Configure rate limiters”)
Configure network time synchronization (see on page 52 “Configure network time
synchronization”)
Configure logging (see on page 53 “Configure logging”)
Note: Securing the redundancy protocols used can also help you enhance and maintain the
availability of your network infrastructure.
Routing protocols like HiVVRP, VRRP, OSPF or RIP are outside the scope of this document.
To Next Page
Loading...
