ProSafe SmartSwitch Security Settings
NETGEAR Security Features
DHCP Filtering is a very basic technique for protection against an unauthorized DHCP server snooping traffic for passwords or employing a man-in-the-middle attack. By configuring each port as either a trusted port or an untrusted port, only the authorized DHCP server is allowed to forward DCHP responses; any responses on the untrusted ports are discarded.
Access Control Lists are a popular way of granting access only to known users, which is prudent whether the network is wired or wireless. The GS110T can perform this function using either the MAC address of the known user, or their IP address. There are separate sections of the menu for setting each of these up manually, and there is also an ACL Wizard to simplify configuration.
Port Authentication is another powerful technique for blocking out unknown, unauthorized, and unwanted users from the network. The GS110T, as well as all the other switches in the NETGEAR ProSafe product line, uses the 802.1X protocol in tandem with a RADIUS server to perform third-party authentication for every device that tries to access the network. There are nearly a dozen different settings that can be applied in this mode, in order to make access control as tight or as loose as you want it. For instance, a “Guest VLAN” can be set up on the authentication server, which restricts access to other resources on the network. You can make certain resources available on the guest VLAN, such as printers, while segregating all the other devices onto another VLAN. One nice feature is the summary page which you can view, without actually going into the configuration screen. This makes it easier to see how the switch is configured, without worrying about accidentally making an unwanted change.
Traffic control comes in a couple different forms. MAC filtering, dynamic or static port locking, and Storm Control all work in slightly different ways to keep unwanted traffic off your network. MAC filtering links MAC addresses to VLAN IDs, and looks for a match with the relationship that’s entered in the filter table. Port locking has a convenient dynamic mode, where one or more devices can be connected to a port, which then interrogates the device and stores its MAC address as “allowed”. You control how many devices can go through this process on each port, from zero to 600. A value of zero effectively disables the dynamic capability, and you have to manually enter the MAC address of the device you want to allow access to that particular port. However, once the port is configured in the dynamic mode, you can then convert the port to static mode and keep the address that was loaded dynamically.
Storm control prevents a large number of broadcast messages from being transmitted to all other ports simultaneously. It blocks the messages coming into to the port that is being monitored for this kind of activity. Think of it like a spam filter that stops the unwanted message at the source, before it gets sent to everyone else on your network.
There are a number of additional security features available on the GS110T, such as setting up HTTPS access, TACACS+ control, etc. I covered most of the security features above, but only in a cursory way. There’s a 240 page software manual that explains things in a lot more detail than I can convey here. It should be very clear by now that smart switches like the NETGEAR ProSafe line offer the opportunity for a substantial security upgrade for your network.