NETGEAR ProSAFE GS724Tv4 Скачать руководство пользователя страница 19 | Manualshive

Страница: 19 / 28

background image

2.6. Ensuring only known devices can use a network

switch

192.168.14.9

printer

192.168.14.31

NAS

192.168.14.107

wireless extender

g2

g1

g7

g19

g23

PC 1

PC 2

192.168.14.7

192.168.14.240

Figure 2.5: Two VLANs dividing a private LAN

Are parts of the network of Figure 2.5 worth protecting so as not to allow access by everybody? Every-
body on the network should be able to print using the printer. But should everybody be able to access
the printer itself. Such access allows hanging of the printers address. Change that and the printer is no
longer a resource available to everybody. The netwok interface of the printer is not even password pro-
tected. The NAS is the storage on the network. In contrast to the printer, it’s web interface is password
protected. However, if an unwarranted person was to access this device they might delete, overwrite,
or take a copy files which are important, personal, or secret. There is a case for protecting such devices
on this network.

The switch can provide protection to devices network connected to it.

2.6.1

Security designed to give specific devices access to given devices

The secturity/protection design aim for the network of Figure 2.5 was:

•

PC 1 only was allowed access to the NAS, and

•

PC 2 only was allowed access to the printer.

The specific hardware devices PC 1, PC 2, the NAS, and the printer. Although each device has a given
IP address, each such address could be changed resulting in the corresponding rule would no longer
operating. A more secure approach was to use the hardware address (MAC address) of each device.
The MAC addresses of the devices and port on the switch are given in Table 2.3, having been taken from
Table 1.2.

Table 2.3: Addresses needed to implement the required MAC address security

Port

Device

MAC address

g1

printer

d0:bf:9c:bd:4b:4d

g2

NAS

28:c6:8e:d5:ed:08

g7

PC 2

00:3e:e1:c1:74:b3

g19

PC 1

c8:2a:14:56:3c:a2

2.6.2

Aspects common to each implementation alternative

Two alternate routes to implementing the security design were followed. There are, however, common
threads.

16

«
...
17
18
19
20
21
...
»

Содержание ProSAFE GS724Tv4

Страница 1: ...Netgear GS724Tv4 Smart switch A Tutorial on Use Ross Maloney by 4 October 2015 ...

Страница 2: ...tch configuration 6 1 7 Gateway from a simple network on the switch 6 1 7 1 Implementation 7 1 8 Warnings 7 2 Layer 2 8 2 1 All devices on the default VLAN 8 2 1 1 Implementation 9 2 1 2 Results from testing 9 2 2 A new VLAN holding all devices 9 2 2 1 Implementation 10 2 2 2 Results from testing 10 2 3 Two isolated LANs 10 2 3 1 Implementation 11 2 3 2 Results from testing 12 2 4 Dividing a LAN 1...

Страница 3: ...6 3 Implementation Alternative 1 17 2 6 4 Implementation Alternative 2 18 2 6 5 Testing 19 3 Layer 3 20 3 1 Routing between LANs and to the Internet 20 3 1 1 Implementation 21 3 1 2 Testing 22 3 1 3 Removing Internet access 22 3 1 4 Important to note from this example 22 3 2 Securing the network 23 3 2 1 Implementation overview 23 3 2 2 Wireless and Internet 23 3 2 3 Allowing PC 1 access but with ...

Страница 4: ...rther detail of the mechanics of performing setting of this switch is contained in the switch s manual The majority of the information contained here should also apply to the GS716Tv3 smart switch and maybe the GS748T5 although this has not been verified The reader is assumed to have access to the Netgear GS716Tv3 GS724Tv4 and GS748Tv5 Smart Switches Sofware Adminstration Manual available from www...

Страница 5: ...ork mask But contrast the gateway address must be specified and is to where a TCP IP packet is to be sent if the destination to which the packet is addressed cannot be found 1 2 Switch hardware The small brown coloured Philips head machine screws supplied with the switch are for attaching the supplied mounting brackets to the switch housing Four screw holes threaded for those screws are provided a...

Страница 6: ...ctory 23 244 dynamic 23 105 R 23 244 static 23 78 reset 23 244 static 23 78 I 23 244 static 23 78 factory 23 244 dynamic 23 105 R 23 2 static 23 78 reset 23 2 static 23 78 I 23 2 static 23 78 factory 23 244 dynamic 23 105 R gateway device 192 168 23 244 removed 23 2 static 23 78 reset 23 3 static 23 78 I 23 2 static 23 78 factory 0 0 0 0 dynamic 0 239 R 0 244 dynamic 0 239 reset 0 0 0 0 dynamic 0 ...

Страница 7: ...k DAP 1650 wireless extender 192 168 8 240 c0 a0 bb f7 44 c0 Table 1 2 shows the details of the devices used in the examples The switch was set with address 192 168 14 155 placing it on the hardwired ethernet The netmask for each device was set to 255 255 0 0 That mask enabled devices on both networks to communicate This enabled that Mac mini with address 192 168 8 7 to act as controller for the s...

Страница 8: ... devices 1 5 1 Access to the switch Control of the switch is menu base accessed through a web browser This menu system is only accessible after logging into the switch The menu sequence System IP Configuration enables the address of the switch its network mask and gateway can be reset Assume the network address was assigned here to 192 168 8 155 replacing the default switch address The network mas...

Страница 9: ...f the switch is required to configure the switch It is a good idea to have the switch address laying on one of the LANs the switch is handling To change the switch address log into the switch and then use the switch command sequence System Management IP Configuration to bring up the page containing the current network settings of the switch It is a good idea to have the switch of a fixed address S...

Страница 10: ...the PC the gateway address was set as 192 168 8 244 and then the PC restarted From the PC Internet connection could be demonstrated An alternate to the above procedure might be to change the gateway address of the switch and leave the gateway address of the PC pointing somewhere else The switch gateway was set to 192 168 8 244 using the System Management IP Configuration command menu sequence on t...

Страница 11: ...ith another device on the LAN on which it is located The Virtual LAN VLAN also has those properties For a device to communicate across a LAN or VLAN a network link or OSI Layer 3 connection is required In the following two networks are used The behaviour of two networks was taken as being able to be generalized to many networks implemeneted on a switch 2 1 All devices on the default VLAN The five ...

Страница 12: ...5 0 255 255 0 0 g1 255 255 255 0 g2 255 255 255 0 g7 255 255 255 0 x x g1 255 255 0 0 g2 255 255 0 0 g7 255 255 0 0 x x g23 255 255 255 0 g19 255 255 255 0 x x g23 255 255 0 0 g19 255 255 0 0 x x Each device was set to have a network mask of 255 255 255 0 then 255 255 0 0 With each net work mask setting pings between the PCs and devices were exchanged In this switch network configuration an unsecu...

Страница 13: ...rom port 19 and plugged into port 13 to control the switch From the VLAN Membership screen the ID 12 of the new VLAN was selected from the selection available on the VLAN ID window The screen for VLAN ID 12 which resulted had blank in all the port boxes For each of the port boxes 1 2 7 19 and 24 a U was set into the box by repeated clicking the box until the U appeared Then the APPLY button in the...

Страница 14: ... the other VLAN was created The two new VLANs appear in the VLAN Configuration tabulation Next the devices connected through the ports of the switch were assigned to each VLAN The PC on port 19 was moved to port 13 of the switch to act as the control The menu sequence Switching VLAN Advnaced VLAN Membership gave the screen which enabled such assignments First VLAN 1 was called up on screen using t...

Страница 15: ...successful ping and a x indicates a successful ping of the test PC itself Symmetry can be seen in the behaviours of the pings The top two left hand groupings in Table 2 2 show similar behaviour to the botton two right hand groupings In those two groupings the PC sending the ping g7 and g19 respectively were in the VLAN represented by the group In particular the behaviour of the g19 and g1 is noted...

Страница 16: ...VLAN Basic VLAN Configuration resulted in the VLAN Configuration screen Into the VLAN ID field the value 12 was typed and then VLAN A 12 into the VLAN Name field The ADD button at the bottom of the screen was then clicked to create the VLAN The switch menu sequence Switching VLAN Advnaced VLAN Membership was used to bring up the VLAN Membership screen The value 12 was typed into the VLAN ID field ...

Страница 17: ...e VLAN ID the value 22 was typed then the value VLAN B 22 in the VLAN Name field before clicking the add button The switch menu sequence Switching VLAN Advnaced VLAN Membership was used to bring up the VLAN Membership screen The value 12 was typed into the VLAN ID field The ports 19 and 23 were removed from this list and the APPLY button clicked The value 22 was typed into the VLAN ID field and po...

Страница 18: ...one VLAN could not access the other Any device connected to the switch could be shared by one or more VLANs on a switch by following the above configuration appoach The problem with this technique of sharing is there is no control over access any device on either VLAN can access the shared device or devices This contrasts to using ACL which can be applied to routing VLANs as described in Section T...

Страница 19: ...e for protecting such devices on this network The switch can provide protection to devices network connected to it 2 6 1 Security designed to give specific devices access to given devices The secturity protection design aim for the network of Figure 2 5 was PC 1 only was allowed access to the NAS and PC 2 only was allowed access to the printer The specific hardware devices PC 1 PC 2 the NAS and th...

Страница 20: ...r creation of the ACL When a ACL is applied to a port on a VLAN that port is automaticly denied access to all other devices connected to that VLAN So if a port is to only access one device the ACL should indicated the address of that device with the action of permit The starting point with each alternative was the switch configured to provide the network shown in Figure 2 5 The VLAN was named VLAN...

Страница 21: ...een Into the Name field of the MAC ACL Table on that screen the text nas pc1 was typed This was to be the title for the PC 1 to NAS rule The ADD button at the bottom of the screen was then clicked to register this title The text printer pc2 was then typed into the Name field and the ADD key clicked to register this title as that of the PC 2 to printer rule After pressing the ADD key the new title ...

Страница 22: ...t the bottom of the screen was clicked The ACL name nac pc1 was then selected from the ACL ID pull down menu and port 7 selected from the Port Selection Table before clicking the APPLY button After each click of the APPLY button an entry was added under the heading Interface Binding Status briefly describing the ACL to port binding The security design was then complete 2 6 5 Testing Testing was pe...

Страница 23: ...the devices on their LAN and also the other LAN Each of those LANs is to be implemented as a VLAN on the switch Further all members of each LAN are to have Internet access through a router on one of those VLANs In effect the two LANs are to be joined into one LAN wireless network PC 1 192 168 8 7 wireless extender g23 Internet gateway printer 192 168 14 31 g19 g1 g2 192 168 14 107 g7 PC 2 NAS swit...

Страница 24: ...9 and 23 were assigned as Untagged members of this VLAN The APPLY button was again clicked Routing between VLANs 12 and 22 had now been setup The routing configured was displayed using the menu sequence Routing Routing table which brought up the Route Configuration display The Route Status part of that display showed to routing which had been setup The Internet access was setup as the default gate...

Страница 25: ... members from VLANs could then access the Internet The alternate but more drastic method method is to remove the wireless range extender from VLAN 22 of the network of Figure 3 1 This removed the wireless network from being accessed by the switch This was done by removing VLAN 22 since individual ports cannot be removed from a VLAN The switch menu sequence Switching VLAN produced the VLAN Configur...

Страница 26: ... Implementation overview A combination of IP and MAC address based ACLs provided switch configuration solutions to the design requirements Because the configuration of the wireless network established by the Internet gateway of Figure 3 1 a wireless device needed to have an IP address of the form 192 168 8 x This wireless network entered the switch through the wireless extender at port 23 An ACL b...

Страница 27: ...n Source IPv4 was selected resulting in a acl based on source ipv4 screen being displayed Into this set of entry windows the value 10 was typed into the Rule ID window Permit from the Action pull down menu False from the Match Every pull down menu 192 168 78 90 was typed into the Source IP Adress window and 255 255 255 255 into the Source IP Mask window This ACL was then assigned to port 23 of the...

Страница 28: ...tered into the Source MAC Mask window and the vale 22 into the VLAN window The Unit 1 tag was clicked and the small box under port 19 was clicked resulting in a tick mark appearing in that box Then the APPLY button at the bottom of the screen was clicked 3 2 4 Allow PC 2 to access PC 1 This condition was enabled by the original routing configuration To access anything PC 2 presented network packet...

Отзывы:

Нет отзывов

Похожие инструкции для ProSAFE GS724Tv4

Univerge SV8100

Бренд: NEC Страницы: 44

Бренд: Parker Страницы: 344

Бренд: DBM Страницы: 50

Бренд: Zhone Страницы: 7

Бренд: Zhone Страницы: 1

Бренд: Belkin Страницы: 72

Бренд: Helmholz Страницы: 28

Бренд: Intellinet Страницы: 2

Бренд: Sangamo Страницы: 2

Бренд: Idis Страницы: 31

Бренд: Tripp Lite Страницы: 3

Бренд: Netis Страницы: 16

Бренд: Xenya Страницы: 189

Бренд: B+B SmartWorx Страницы: 52

Бренд: Razer Страницы: 17

Бренд: Topcom Страницы: 16

Бренд: Microtek Страницы: 25

Бренд: ADTRAN Страницы: 9

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды