Security on WS3560

Unanswered Question
May 21st, 2008

Hi,

this is probably going to sound really dumb but I still want to throw this out there JUST in case there's some way to improve security on the switches. It's actually more about security and better attack deflection on the switches than security of the switches themselves.


I have two 3560s at the headend of the network with routing turned on, and static routes to the upstream provider. behind it runs a VoIP network and a data network (web/ftp etc). In the headend switches, VLANs have been configured along with access-lists such that traffic coming into/out of the SIP ports and media ports is tagged with appropriate COS etc. and sent to the switchports where the SBCs are physically connected to the switches. I'm taking the chance/trusting that the built-in NAT/Firewall of the SBC (software modules provided by the SBC vendor) will do whatever it can to defend itself. The data traffic is being gated by the ASA5520s (Without AIP or CSC SSM). I have tight access rules on the ASA5520 which is protecting the internal network but it's getting hammered with all sorts of attacks incl. ICMP floods, Multi-port attacks, UDP bombs and such. This obv has side-effects like excess data usage (my ISP gives us unshaped GigE tails but data is charged) and not to mention, since it's all coming through on the same WAN pipe there's danger for it to mangle the VoIP traffic causing occasional bad quality.


So the question is, what can I do on the switches and on the firewall with what I have, to reduce this and make my network more efficient.


The reason I said it may be a dumb question is because ideally I'd like to block out traffic from known offenders but I can't prevent someone from attacking my network. Defending against it means it still hits my Firewall (as my ISP will simply fwd traffic bound for my IP-block to my routers/switches, which at the moment have no rules to prevent the traffic coming in so they pass it on to the SBCs or the ASAs depending on what IP is being attacked) and so from the ISP's perspective, that traffic still counts towards my data usage which has soared to double in the past 6 mths and I know we're not doing that much business (as then I'd have the money to buy firewall/IPS services from my ISP to filter attacks at the door and only fwd clean traffic to us PLUS be able to purchase AIP & CSC)


I'll leave this at that till I have questions come in for specific clarifications or just suggestions would also help :)


Thanks all,

\R

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ranjtech74 Thu, 05/22/2008 - 12:49

Hmm no responses. Is there any more information I can provide? Does anyone have any questions that I can answer to clarify what I need to accomplish or is it a dumb question? HELP? :)

Actions

This Discussion