Chapter 5. Switching | The Practice of Network Security: Deployment Strategies for Production Environments

Like routers, security precautions for switches are often overlooked. This is obviously a mistake. Switches serve as entry points to the network. Not only are they the handoff point from routers, they are also the way users connect into the core of your network.

Continuing the layered security model started in Chapter 4 with routers, switches are a second line of defense in network protection. As with routers, switch security needs to focus on stopping unwanted incoming and outgoing traffic. This means securing who has access to your switches, routing on multilayer switches, and restricting machine access to the switches.

In addition to access restriction, switches are used to help build a redundant, scalable, and highly available network. Because availability is a core component of a secure solution, it will be discussed extensively in this chapter.

Most people don't think about switches because a switch sits on the network and forwards traffic to the edge, with very few failures. As enterprise networks have become more complex, the switch has taken a more central role in the deployment of those networks. To that end, switch selection has become more important than ever to an enterprise network. It is important to choose switches that will make it easier to manage the network, and that are able to scale as traffic on the network grows.

Before beginning a discussion on switch security, it is important to understand what to look for when purchasing a switch. Undoubtedly, you already have a network infrastructure is already in place, so this advice may not be of immediate assistance to you, but it may be useful for future purchases.

For an enterprise network, a switch is always preferred over a hub. Hubs work in broadcast mode: A packet sent from one machine is broadcast to all other machines plugged into the hub. This generates a lot of excess traffic and is a security risk, because it means that all of the machines plugged into that hub can view the traffic destined for all of the other machines on the network.

Switches behave in a different manner. A switch maps a physical address (the MAC address) to a logical address (an IP or IPX address), and terminates all broadcasts at the originating port. This means that if a packet leaves a machine headed for the gateway address, it is forwarded directly to the port to which the gateway is attached, making it very difficult for other users to sniff traffic from the machine.

Even better than a switch is a managed switch. Managed switches provide a network administrator with a lot more control over the network. Managed switches allow you to:

Set port speed
Control access by MAC address
Gather statistics about bandwidth usage on a per-port basis

This type of detailed statistics collection makes network troubleshooting and planning a lot easier because you can quickly determine the location of problem areas on your network and decide if you need to upgrade equipment or talk with a specific user who may be using excessive resources.

The downside to switches, especially managed switches, is that they are significantly more expensive than hubs. A 24-port 10/100 hub will run you about $200, a 24-port 10/100 unmanaged switch will cost you around $700, and a 24-port 10/100 managed switch will cost you more than $1000. ^[1]

^[1] Often a lot more.