May I Have Some Security with My Switching?

Over the past decade, we have witnessed a transition within security. From a product standpoint, we have started to depart from the dichotomy of IT centric versus security focused products. This divergence can be witnessed in network switches. In the past, security was focused on the perimeter with little attention given to the internal network. Behold the security in a box product, the firewall. A few years ago, a router/switch was purely dedicated to performance and moving packets from one location to another. Now we have seen these products incorporate features such as Dynamic ARP Inspection (DAI), dot1x for port authentication, DHCP Snooping, and much more. Lately Cisco has been focusing on this transition.

Over the past few years, Cisco has become a heavy hitter in the data center arena. They have recently developed the Nexus series of switches. These switches in many ways are a Network and Security Administrator’s dream switch. Cisco has incorporated the line of thinking that all network based devices should start incorporating security features; and that we need to move away from relying on a single network security device to keep us secure. While offering unparalleled switching performance, the Nexus series of switches have utilized innovative technology. Imagine having a switch that can provide up to 15 terabits of switching performance, while allowing isolation of network traffic. While virtualization among network devices is not new to Cisco--the ASAs and IPS incorporate it--the degree to which they have implemented the technology in their switches has improved. Through the Nexus line of switches Cisco has introduced the Virtual Device Context (VDC). Virtual Device Context allows traffic to be isolated from other contexts. In security parlance, this is ideal. Virtual Device Context ensures that traffic from one virtual context remains hidden from others, which is perfect in situations of sensitive information being transmitted over a shared physical architecture. It accomplishes this through virtualization of the control plane, data plane, management plane, software partitioning, and hardware components. In recent lab tests performed by NSS Labs, the Nexus switch passed a series of attacks
in an effort to gain access to data in other VDCs by attempting the following attacks: MAC flooding, duplicate VLANs, MAC address spoofing, ARP spoofing, and many more. When configured per Cisco best practices, these switches effectively operated as physically separate devices.

The next time you decide to make a sizeable purchase of network hardware, make sure you take network security into consideration. Quite often companies purchase hardware and software that have security features built in, but rarely use them. You have paid for these features and it is to your advantage to use them in order to maximize your investment. To that note, always research the product you are considering purchasing. The last thing any company wants is to spend hundreds of thousands of dollars or more investing in equipment only to find out that it does not support the features that they want. So next time ask the vendor: “What security features do you support and what documentation do you have around implementation?” Remember, you do not have to choose between performance and security.

By Jason Suplita, Senior Risk Management Consultant