LAN edge switches have come a long way from the dumbed-down devices that once offered uniform network access to employees plugging into an office LAN port. With the rise in mobile workers and guest users such as contractors and consultants, the need for more complex network edge security strategies is more pressing than ever. So many networking teams are learning to use their LAN edge switch security functions as an integral part of network defense-in-depth strategies.
Intelligent edge switches have complex security features that enable the use of ACLs and VLANs for port traffic monitoring and management. They also generally support policy-driven network access authentication, as well as integration with network access control (NAC) and behavior analysis tools.
In this SearchNetworking guide, learn the basics of how to use LAN edge switch security functions for a more complex network edge security strategy.
TABLE OF CONTENTS
Using LAN edge switch ACLs and VLANs for network edge security
VLANs and network edge security
Using LAN edge switches for NAC
Integrating LAN edge switch security with network access control
Integrating NAC with other security endpoints
|Using LAN edge switch ACLs and VLANs for network edge security||Return to top|
LAN edge switch ACLs can be an important part of in-depth defense. Just like ACLs on routers and firewalls, switch-level ACLs can filter traffic, permitting or denying access through the port. But pushing that function to the edge spreads the work out, potentially decreasing the number of rules required in other locations and the amount of traffic processed there, thus improving performance. Also, LAN edge switch ACLs can do something ACLs elsewhere can't: help protect edge devices from one another.
ACLs are not the only intelligent edge switch security feature. Where ACLs are great for managing access to specific addresses or applications, VLANs are a more robust way of handling groupings of ports and controlling traffic among these groups.
Find out how to use LAN edge switch ACLs and VLANs to manage access and control port traffic.
|VLANs and network edge security||Return to top|
VLANs play a major role in network edge security; but, depending on the switch, configuring and troubleshooting VLANs can be very complex. Learn how to implement, manage and troubleshoot VLANs in this VLAN guide for networking pros.
|Using LAN edge switches for NAC||Return to top|
Of all the unused security features lying dormant on intelligent edge switches, network access authentication is perhaps the most important. While IT teams have complete control over what's connected in the data center, that's not the case at all on the LAN. So it is crucial to use LAN edge devices for their access control features.
Learn how to configure LAN edge switches for network access authentication and integrate them with RADIUS server use.
|Integrating LAN edge switch security with network access control||Return to top|
Defense-in-depth requires that networking teams use LAN edge switches as part of the security infrastructure. ACLs, VLANs and authentication form the base of edge security; NAC sits atop this base to further mitigate risks. It is usually driven by intelligence in the data center or network core, such as policies defined and propagated from a central management point or directories of users that are allowed to use the network.
NAC requires initial health checks, which depend on a tamper-resistant agent on the endpoint that can verify that some software is running (e.g., an antivirus) and other software is not (e.g., various kinds of spyware). Learn the importance of implementing network edge security health checks for NAC at the LAN edge switch.
|Integrating NAC with other security endpoints||Return to top|
NAC integration with endpoint software enables much more than just access control. Using APIs and open standards, you can integrate NAC solutions to scan connecting machines for operating system patch updates and to identify and limit the use of external drives. What's more, using NAC at endpoints can ensure that users are working from sanctioned virtual sandboxes when they connect with their personal machines and can confirm that connecting machines have disk encryption installed. Read more of this portion of a chapter from "Network Access Control for Dummies."