This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Security for Switches

JCDavid
Iron II
Iron II

‎06-17-2022 01:11 PM - edited ‎06-17-2022 01:12 PM

Hi all. Beyond port security configurations... I always thought it was important to update firmwares and (now) would enable MFA to access switches. I also improved physical security so that random people couldn't walk up and plug into ports.

What do you do?

Labels:
0 Kudos
5 REPLIES 5

DHAnderson
Novitiate II

‎10-25-2022 07:01 PM

I use and sell Meraki equipment, and disable the local management.  Then I use 2FA on the Meraki site.  There is zero attack footprint on the local LAN.  Firmware updating is a breeze and can be across an entire network, or staged across multiple switches.  It does not matter where the switches are or where you are!  If for some reason a firmware update breaks the switch, the switch will reboot into the old firmware by itself.  

If you wonder about Meraki's commitment to security, check out:

https://meraki.cisco.com/trust/

JCDavid
Iron II
Iron II
In response to DHAnderson

‎11-09-2022 01:18 PM

Interesting... I'd thought about using its products but went with Juniper for the new core switch. The rest were mid-level Ciscos.

0 Kudos

steven
Rising Star III

‎11-11-2022 02:06 PM

We just revamped our internal network structure to be more secure by default. We have keystones around the office,  we don't want them open for guests to use, so we're going to be disabling the associated switch port. I'll be intrigued to see what our staffs reaction is. Very very few use a hard wired connection anymore, and we've identified them so they'll remain online but you never know.

We've also rebuilt our VLANs so that we have an "IoT" network that is specific to anything that has potential vulnerabilities (looking at you printers & chromecasts). This is also the only network allowed to talk between our corporate network and our guest network, and even then only certain types of traffic are allowed.

We took the default network and put firewall rules in place so that it can't access the WAN nor can it talk to any of the other VLANs. This way if we mess up and leave a port open, it won't be able to actually do anything without our IT staff knowing about it.

As for local threat points, only our Jr. SysAdmin and myself can access any of the local management ports & interfaces. We have it filtered by MAC address and you have to be connected to a specific port (Jr. SysAdmin and myself have switches at our desk for ease of troubleshooting).

0 Kudos

JCDavid
Iron II
Iron II
In response to steven

‎11-11-2022 02:09 PM

very nice... love the emphasis on LAN port security. too often overlooked.

0 Kudos

steven
Rising Star III
In response to JCDavid

‎11-11-2022 02:31 PM

Honestly I didn't even think about it, but our Jr. SysAdmin focused on networking while in college, so he had some great ideas and a lot of knowledge about the inner working of it. I don't like networking, so he's been a great asset.

0 Kudos
You Might Like

New to the site? Take a look at these additional resources:

Community created scripts

Keep up with Product News

Read our community guidelines

Ready to join us? You can register here.