• February 19, 2018, 03:18:33 AM
Welcome, Guest. Please login or register. Registration is free.
Did you miss your activation email?

Author Topic: Network Security in SPB  (Read 739 times)

0 Members and 1 Guest are viewing this topic.

Offline bibi75

  • Rookie
  • **
  • Posts: 4
Network Security in SPB
« on: August 03, 2016, 04:22:07 AM »
Hello,
I'm currently working for my dissertation, and I choose to deal with the Shortest Path bridging. For my last part, I want to add a topic on the security in my SPB Fabric.

Let's take a simple example :
Someone, no matther how, could learn our SPB configuration and now, he want to add his own switch to the fabric. Do we have a mechanism to prevent from that type of attack ?

Anyway, I want to (try) prevent to any type of attack in my network fabric. Do you have any solution in Avaya switch to do so ?
Do you have any advice on that part for my dissertation ?

PS : I've already known the MACsec to encrypt point-to-point on interfaces.


Offline Blair

  • Rookie
  • **
  • Posts: 5
Re: Network Security in SPB
« Reply #1 on: August 03, 2016, 04:42:35 AM »
There's a feature called IS-IS hello authentication that you can enable on your IS-IS NNI interfaces.
This will prevent an adjacency being formed unless the keys match on both ends.
It's sensible to use MACSec also presuming this doesn't introduce issues for your environment (frame size overhead, some ports do not support this etc).

Note that the implementation of this had an issue in 4.2.1.0 and 4.2.1.1, so you need to make sure both ends are matched on fixed or non-fixed versions or they wont negotiate properly.

Offline Dominik

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1564
    • Networkautobahn
Re: Network Security in SPB
« Reply #2 on: August 03, 2016, 04:52:28 AM »
besides the already mentioned features like MACSEC and ISIS hello authentication
the main line of defence is to hide your SPB from the Attacker so that he is not aware of that there is an
SPB fabric, this conceptr is called "staelth networking".

If you configure only the Interfaces that are connected to another ISIS NNI Link with ISIS enabled you minimise the attack vector significantly.

If you hide the fact that you have an ISIS / SPB fabric to all the access ports than it is hard for an attacker
to start an targeted attack against your infrastructure.

Cheers


Itīs always the networks fault!
networkautobahn.com