Cisco makes desktop switches more secure

Network administrators will be able to put up more safeguards against attackers from inside an enterprise with a series of enhancements to Cisco Systems Inc. desktop switches.

The company said it will add software features for switches in its Catalyst 3550 Series and 2950 Series that let administrators secure their network management traffic, control access to company resources and require user names and passwords from employees logging in to the network.

The moves are part of an overall Cisco strategy to provide security throughout the network, using both dedicated security appliances and security capabilities that are built into other equipment. The security functions now offered for the desktop switches, which are the boxes where end users connect to the LAN, are part of a blueprint for security that reaches from the edge of the LAN into the service-provider network.

Cisco will offer for some of the switches SSH (Secure Shell) and SNMP (Simple Network Management Protocol) Version 3 technology for encrypting network management traffic, and port-based ACLs (Access Control Lists) that run at wire speed -- that is, without degrading performance -- will keep users away from resources they shouldn't use. In addition, it is extending the IEEE 802.1x standard for user authentication to Catalyst 2950 Series switches with Standard Software Image.

Cisco also will add DHCP (Dynamic Host Configuration Protocol) Interface Tracker to the 3550 Series. It provides an easier mechanism for tracking down a DHCP (Dynamic Host Configuration Protocol) user who may be connecting from an unauthorized location. "Although you may have been able to do something similar before, it actually makes it doable from an administrator's standpoint," said Ishmael Limkakeng, product line manager for Cisco's desktop switching business unit.

Cisco also enhanced its Cisco Secure URT (User Registration Tool) software, allowing users to sign on to the network securely with a Web browser, and added support for LDAP (Lightweight Directory Access Protocol) authentication. URT can also work with RADIUS (Remote Access Dial-in User Service) authentication on the Cisco Secure Access Control Server. Available previously on the 3550 Series switches, URT has been added to the 2950 line.

SSH encryption and wire-speed ACLs both have brought big benefits to Webster University, an international liberal arts university based in St. Louis, which has beta tested the new capabilities. About 200 of the approximately 2,000 users at Webster's St. Louis campus are connected to 3550 Series switches and that platform will be the primary replacement for most of its older switches as they are phased out in the future.

In the past, management data could be encrypted in the core of Webster's network but not at the switch closest to the desktop, said Benjamin Hockenhull, WAN (wide-area network) coordinator at the private university. "It made things a lot less secure in terms of passwords crossing the network in plain text," Hockenhull said. Being able to set up protection mechanisms at several points on the network brings more depth to security provisions, he added.

Likewise, public systems such as e-mail stations need to be walled off from sensitive resources on the network, Hockenhull said. The wire-speed ACL function lets Webster protect those resources without constraining the network's performance. However, deploying IEEE 802.1x is not an overnight job, he added. Because most client operating systems don't have support for the protocol built in, implementing it would require a time-consuming rollout of software to many machines, Hockenhull said. Microsoft Corp. Windows XP does include 802.1x support, he added.

In addition to introducing the new security software, Cisco Tuesday unveiled the Catalyst 3550-24-FX-SMI, equipped with 24 100Base-FX ports that carry Fast Ethernet traffic via multimode fiber instead of copper. Fiber cannot be tapped by snoopers as copper can, and some service providers need the longer reach provided by fiber, Limkakeng said. The switch is also equipped with two slots for fiber or copper Gigabit Ethernet interfaces.

The San Jose, California-based company also introduced a copper-based 1000Base-T GBIC (gigabit interface converter) for the Catalyst 3550 and 2950 switch lines as well as the older Catalyst 3500XL and 2900XL lines, and Catalyst 4000 and 6500 series switches. The 3550-24-FX is available now for US$5,495, and the GBIC for $395.

SSH and SNMP version 3 capability will be available in the third quarter of this year for 3550 Series switches and for 2950 Series switches with Enhanced Software Image. DHCP Interface Tracker is available now for 3550 Series switches. Wire-speed port-based ACLs are available immediately on the 3550 Series switches. All the new software features are free downloads for existing customers.

What’s wrong? The new clean desk test
Join the discussion
Be the first to comment on this article. Our Commenting Policies