About this Guide

One of the guiding principles of good network design is security. A network must be secure against data theft and against denial of service. This guide focuses on security within a LAN—protection against 'the enemy within'.

The material covered in this 170-page guide is a mixture of practical advice on secure configuration of network devices and explanations of the protocols and technologies that are employed in LAN security. The three prime aspects of LAN security are:

  1. Ensuring networking equipment is able to block attacks aimed at compromising or disabling it.
  2. Ensuring networking equipment is able to combat attacks that exploit weaknesses in LAN protocols. These are attacks that are not aimed at compromising the networking devices themselves, but rather are attacks that disrupt data flow in the network or use tricks to give users access to sectors of the network that they should not be able to access.
  3. Preventing unauthorized users from getting any access to the network.

The subject matters discussed in this guide relate to one or more of these activities.

Below is an outline of what is covered in the chapters:

  • Configuring switches in a way that enables them to protect themselves against attacks directed at them. We discuss how to combat well-known LAN-based attacks such as Root bridge spoofing, MAC-flooding, DoS, and VLAN hopping attacks.
  • We take a look at various aspects of user authentication which includes using AAA, private/public keys and X.509 certificates.
  • We describe the two most popular protocols that underlie the user authentication and user activity monitoring process—RADIUS and TACACS+.
  • We then discuss the three LAN user authentication mechanisms used in AlliedWare Plus™: 802.1x, Web authentication, and MAC authentication.
  • The final chapter focuses on DHCP snooping.