VLAN Security
■
Manage switches out-of-band (separated from data traffic). If out-of-band management is
not feasible, then dedicate a separate virtual local area network (VLAN) number for in-band
management.
■
Use the port mirroring capability of the network switch for intrusion detection system (IDS)
access.
■
Maintain a switch configuration file off-line and limit access only to authorized
administrators. The configuration file should contain descriptive comments for each setting.
■
Implement port security to limit access based upon MAC addresses. Disable auto-trunking
on all ports.
■
Use these port security features if they are available on your switch:
■
MAC Locking involves associating a Media Access Control (MAC) address of one
or more connected devices to a physical port on a switch. If you lock a switch port to
a particular MAC address, superusers cannot create backdoors into your network with
rogue access points.
■
MAC Lockout disables a specified MAC address from connecting to a switch.
■
MAC Learning uses the knowledge about each switch port's direct connections so that
the network switch can set security based on current connections.
VLAN Security
If you set up a virtual local area network (VLAN), remember that VLANs share bandwidth on a
network and require additional security measures.
■
Separate sensitive clusters of systems from the rest of the network when using VLANs.
This decreases the likelihood that users will gain access to information on these clients and
servers.
■
Assign a unique native VLAN number to trunk ports.
■
Limit the VLANs that can be transported over a trunk to only those that are strictly required.
■
Disable VLAN Trunking Protocol (VTP), if possible. Otherwise, set the following for VTP:
management domain, password, and pruning. Then set VTP into transparent mode.
■
Use static VLAN configurations, when possible.
■
Disable unused switch ports and assign them an unused VLAN number.
InfiniBand Security
Keep InfiniBand hosts secure. An InfiniBand fabric is only as secure as its least secure
InfiniBand host.
Planning a Secure Environment 17
To Next Page
Loading...
Need help?
General
