Security Overview

Network Security Features

Network Security Features

This section outlines features and defence mechanisms for protecting access through the switch to the network. For more detailed information, see the indicated chapters.

Table 1-2. Network Security—Default Settings and Security Guidelines

Feature

Default

Security Guidelines

More Information and

 

Setting

 

Configuration Details

 

 

 

 

Secure File

not

Secure Copy and SFTP provide a secure alternative to

Management and

Transfers

applicable

TFTP and auto-TFTP for transferring sensitive

Configuration Guide,

 

 

information such as configuration files and log

Appendix A “File Transfers”,

 

 

information between the switch and other devices.

refer to the section “Using

 

 

 

Secure Copy and SFTP”

 

 

 

 

Traffic/Security

none

These statically configured filters enhance in-band

Chapter 12, “Traffic/Security

Filters

 

security (and improve control over access to network

Filters and Monitors”

 

 

resources) by forwarding or dropping inbound network

 

 

 

traffic according to the configured criteria. Filter options

 

 

 

include:

 

 

 

source-port filters: Inbound traffic from a

 

 

 

designated, physical source-port will be forwarded

 

 

 

or dropped on a per-port (destination) basis.

 

 

 

 

 

Port Security,

none

The features listed below provide device-based access

Chapter 11, “Configuring and

MAC Lockdown,

 

security in the following ways:

Monitoring Port Security”

and MAC

 

Port security: Enables configuration of each switch

 

Lockout

 

port with a unique list of the MAC addresses of

See also “Precedence of

 

 

devices that are authorized to access the network

Port-Based Security

 

 

through that port. This enables individual ports to

Options” on page 1-17

 

 

detect, prevent, and log attempts by unauthorized

 

 

 

devices to communicate through the switch. Some

 

 

 

switch models also include eavesdrop prevention in

 

 

 

the port security feature.

 

 

 

MAC lockdown: This “static addressing” feature is

 

 

 

used as an alternative to port security to prevent

 

 

 

station movement and MAC address “hijacking” by

 

 

 

allowing a given MAC address to use only one

 

 

 

assigned port on the switch. MAC lockdown also

 

 

 

restricts the client device to a specific VLAN.

 

 

 

MAC lockout: This feature enables blocking of a

 

 

 

specific MAC address so that the switch drops all

 

 

 

traffic to or from the specified address.

 

 

 

 

 

1-7