Skip to main content

Network Security


Network Security
Follow these guidelines to maximize your network security:
  1. Most switches allow you to define virtual local area networks (VLANs). If you use your switch to define VLANs, separate sensitive clusters of systems from the rest of the network. This decreases the likelihood that users will gain access to information on these clients and servers.
  2. Manage switches out-of-band (separated from data traffic). If out-of-band management is not feasible, then dedicate a separate VLAN number for in-band management.
  3. Keep Infiniband hosts secure. An Infiniband fabric is only as secure as its least secure Infiniband host.
  4. Note that partitioning does not protect an Infiniband fabric. Partitioning only offers Infiniband traffic isolation between virtual machines on a host.
  5. Maintain a switch configuration file off-line and limit access only to authorized administrators. The configuration file should contain descriptive comments for each setting.
  6. Use static VLAN configuration, when possible.
  7. Disable unused switch ports and assign them an unused VLAN number.
  8. Assign a unique native VLAN number to trunk ports.
  9. Limit the VLANs that can be transported over a trunk to only those that are strictly required.
  10. Disable VLAN Trunking Protocol (VTP), if possible. Otherwise, set the following for VTP: management domain, password and pruning. Then set VTP into transparent mode.
  11. Disable unnecessary network services, such as TCP small servers or HTTP. Enable necessary network services and configure these services securely.
  12. Different switches will offer different levels of port security features. Use these port security features if they are available on your switch:
    MAC Locking: This involves tying a Media Access Control (MAC) address of one or more connected devices to a physical port on a switch. If you lock a switch port to a particular MAC address, superusers cannot create backdoors into your network with rogue access points.

    MAC Lockout: This disables a specified MAC address from connecting to a switch.

    MAC Learning: Use the knowledge about each switch port’s direct connections so the switch can set security based on current connections.