Security Solutions
2-26
Customer Needs Assessment
Evaluate the Existing Network Environment
If you plan to implement endpoint integrity, you should also determine if the
switch supports port mirroring, which may be necessary to allow NAC 800s
to detect endpoints. (Depending on the switch, this feature might be called
port monitoring, local traffic mirroring, or port spanning.) Do any of the
switches support remote traffic mirroring, which allows one switch to mirror
traffic to another switch? The ProCurve 3500yl, 5400zl, 6200yl, and 8200zl
Switches all support this capability. This capability will give you some addi-
tional flexibility if you are using the 802.1X deployment method for the
NAC 800.
As you begin to record information about the switches, you should identify
the switch vendor, model number, and firmware version. For easy reference,
you can record each switch’s capabilities in a table such as Table 2-3. The table
provides two examples and then some space for you to record information
about your company’s switches.
Table 2-3. Recording Information about Network Switches
You should also record information about your company’s APs. For example,
do the APs on your network support the strongest security for wireless
networks—802.1X with Wi-Fi Protected Access (WPA/WPA2)?
Do your switches and APs include an 802.1X supplicant, which allows them
to authenticate to the network? This capability helps prevent hackers or even
well-meaning employees from attaching a rogue AP to the network. (See
Figure 2-3.)
Switch Vendor and
Model Number
Firmware
Version
Location Authentication Methods
Supported
Port Mirroring/
Monitoring/
Spanning
5400zl Switch K.12.14 North building, area 1 802.1X, local and RADIUS
MAC-Auth, Web-Auth
Remote intelligent
mirroring
5300xl E.10.61 North building, area 2 802.1X, local and RADIUS
MAC-Auth, Web-Auth
Port mirroring