Rob Huffman Wed, 07/02/2008 - 16:02
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 IP Telephony, Unified Communications

Hi Seth,


Yes, this is a fully supported model :)


Port Security


Whereas Cisco firewall solutions provide access control for external users, port security provides access control for internal users. A built-in feature on Cisco routers and switches, port security limits the services that network users can access based on the physical port to which they connect, and helps protect the voice system in the following ways:

• Preventing toll fraud - The most basic step in preventing toll fraud is denying network access to unauthorized users. Port security enables organizations to restrict access to the voice network to particular ports. For example, a company might disallow access to the voice system from ports in locations where employees ordinarily do not use phones, such as custodial areas or the manufacturing floor. Another way that port security controls access is by directing a user into the appropriate VLAN based on the user's voice privileges. An unknown user, for example, might be directed to a guest VLAN with no or limited voice privileges, and also be subject to ACLs that prevent access to the voice system. A known user, in contrast, would be directed to the voice VLAN for that user's department.


• Preventing DoS attacks - The port does not turn on until it receives confirmation that both the user and device are trusted. This helps prevent an untrusted user from connecting to the network from a private location in the company, such as a basement or custodial closet, and launching a DoS attack. To protect against DoS attacks launched by employees' computers and laptops without their knowledge, companies can combine port security with Network Admission Control (NAC) to verify that the PC or laptop is protected with the latest versions of antivirus software and Cisco Security Agent.


• Preventing impersonation, spoofing, or eavesdropping - Port security can be used to limit the number of MAC addresses authorized to access the network through a given port. This eliminates the potential for someone to, for example, disconnect a legitimate IP phone, connect in its place a hub with two or more ports, and then connect an unauthorized IP phone or PC softphone to one of the hub ports to impersonate another user. The port rejects all MAC addresses other than the single known MAC address.


From this good doc;


http://www.cisco.com/en/US/solutions/collateral/ns339/ns639/ns641/net_implementation_white_paper0900aecd80460724.html



Hope this helps!

Rob

Actions

This Discussion