Network Security
Ethernet LANs are often deployed in environments that
permit unauthorized devices to be physically attached to
the LAN infrastructure, e.g. in areas of a building that are
accessible to the general public, or in a shared business park
or serviced offi ce building. Most importantly, these are areas
where wireless networks are attached to the wired LAN. In
such environments, it is important to restrict access of the
services offered by the LAN to those users and devices that
are permitted.
IEEE 802.1x port-based network access control provides a
means of authenticating and authorizing devices attached
to a LAN port. It can also prevent access to that port in
cases where the authentication and authorization process
fails. These ports can be: switches, servers, routers or even
wireless connections made between end-stations and access
points in IEEE 802.11 Wireless LANs.
Traffi c prioritization & fi ltering
A switch is often a single-point-of failure in a network since
it provides the connections between all the end-users and
server resources. If anything goes wrong with the switch, then
everything stops: email, fi le transfer and database access.
Luckily most modern networking hardware is built robustly
with redundant components and is unlikely to fail. What is
more likely to go wrong is for the device to be swamped with
traffi c and unable to operate normally.
Port Trunking
When large numbers of end-users need to access shared
resources such as fi le servers or database storage, the
connection to the server or storage device can become a
bottleneck. For instance, it only takes 10 PCs with 100 Mbps
connections performing transfers to and from a shared fi le
server to saturate a 1 Gbps connection to the server.
The solution is to use Port Trunking or Link Aggregation
Control Protocol (LACP) to bundle multiple connections and
use the combined bandwidth as if it was a single fat pipe. In
the example shown in Figure 3 below, up to 80 users can
perform simultaneous 100 Mbps transfers to 4 servers which
are dual linked with 2 x 1 Gbps connections.
Figure 3: Ethernet Trunking
The ease-of-use and plug-and-play qualities of Ethernet are
a result of the way new devices broadcast their addresses.
Bridges and switches can learn of their existence without
manual intervention. This can result in large amounts of traffi c
being broadcasted and proliferated around the network.
This traffi c can be controlled by:
•
Using IEEE 802.1p to defi ne up to eight traffi c classes.
These classes can be labeled as urgent, business critical
and best-effort and the intervening switches and routers
set up to prioritize the traffi c accordingly.
•
Using VLANs to keep broadcast traffi c within its own
broadcast domain.
•
Filtering using Access Control Lists (ACLs) to restrict
traffi c based on broadcast type.
•
Generating alerts and alarms using SNMP traps should
traffi c exceed certain thresholds.
Modern switches must provide these features if MIS
managers don’t want to hear those dreaded words: “The
network is down”.
SNMP Management Tool
The Simple Network Management Protocol (SNMP) is the
established industry standard for managing all types of network
devices. SNMP provides management of different network
devices using a comprehensive set of Management Information
Bases or MIBs. Using these MIBs, SNMP management tools can
be used to install, confi gure, monitor and manage all kinds of
network devices. SNMP provides support for traps and events.
Thresholds and conditions can be defi ned on which certain
actions are taken. These actions can range from generating
a message on an operator screen, turning a device icon a
different color on a network map or sending a text message or
phone call to the person responsible for managing the network.
EliteView Management Software
For SNMP management, SMC makes available its advanced
EliteView as a free download. EliteView is a Windows-based
workgroup network management software solution with a
streamlined, event-driven, modular architecture that makes
managing hundreds of network nodes simple. It provides
state-of-the-art utilities which allow you to:
•
Generate a detailed hierarchical map of your entire
network confi guration.
•
Maintain centralized boot services that provide network
addresses and information on system fi les to download.
•
Monitor and log signifi cant events and statistics.
•
Automatically respond to network problems with a variety
of actions.
•
Quickly fetch or set MIB variables for network devices.
•
Remotely manage or reconfi gure both SMC and third-
party network devices.
•
Use the full MIB Compiler for including other network
devices.
