To assess 802.1X/NAC support, we developed six scenarios that describe roles a switch might play as part of the NAC infrastructure. In this case we attached the switch to a Windows 2003 server running Juniper Steel-Belted Radius Enterprise Edition 6.1 (SBR). The SBR configuration used Windows Active Directory credentials to authenticate users.
In the first scenario, the switch places an authenticated client (in all cases, a PC running Windows XP Professional and Juniper Odyssey client software) into a previously configured VLAN. The second case is like the first, but requires authentication of multiple clients attached to a single port. In the third case, the switch dynamically assigns a VLAN after authentication. In the fourth case, the switch dynamically applies an access control list after authentication. In the fifth case, the switch places a client into a guest or restricted VLAN upon authentication failure. Finally, the sixth case determines whether a switch port concurrently supports 802.1X and media access control authentication support.
To assess storm control, we used common attack techniques such as broadcast and TCP SYN flooding as generated by a Mu Dynamics Mu-4000 security analyzer and by Spirent TestCenter. We configured the Juniper switch to limit forwarding rates of attack traffic, and verified these limits using real-time rate counters in Spirent TestCenter.
We measured power consumption using Fluke 322 and Fluke 335 clamp meters. This test involved three measurements: AC line voltage; AC amperage when idle; and AC amperage when fully loaded. We fully loaded the switch control and data planes by configuring Spirent TestCenter to offer traffic at line rate to all ports consisting of IPv4 packets with IP options set. We derived wattage by multiplying voltage and amperage.
Our tests of switch manageability, security and usability had objective and subjective components. In the objective component, we determined which management methods the switch supported over IPv4 and IPv6, as well as its ability to conform to best security practices (for example, by disabling vulnerable services such as telnet and enabling secure service such as SSHv2). We also determined which management methods were enabled by default, and which could be enabled/disabled by users. In addition, we determined whether erasing configuration files would remove all personally identifiable information, a regulatory requirement and security best practice.
The subjective part of our assessment consisted of our judgments on ease of accomplishing these and all other tests described here.
To assess the final area, switch features, we asked vendors to complete a detailed questionnaire. We did not verify every answer to this questionnaire.
Newman is president of Network Test, an independent test lab in the US. He can be reached at dnewman@networktest.com.
Read up on the latest ideas and technologies from companies that sell hardware, software and services. Making the Business Case for IT Consolidation
The state of Middleware
Controlling storage costs with Oracle database 11g
How to improve employee productivity in small and medium businesses
IT Service Management Needs and Adoption Trends: An Analysis of a Global Survey of IT Executives
The Case for an Untethered Enterprise
Look before you leap | Key considerations for moving to 802.11n
Zones provide focussed content from Computerworld and leading technology partners.
Discover how SOA can create smarter outcomes for your business.
Attend and learn:
- How SOA is helping leading companies to become more agile
- Where you should be applying SOA processes in your company
- The top SOA implementation mistakes to avoid
Click here for more information.
- +
Computerworld Live Podcast #97: The Future of Enterprise Networking 25/07/2008 09:45:36
This week CW Live chats with Mark Thompson, global sales and marketing manager for HP ProCurve, on the future of the enterprise networking. Mark discusses the trends we can expect to see in the near future and how the right infrastructure can ensure your enterprise network is secure. - +
Computerworld Live Podcast #96: Security at the Edge 11/06/2008 09:22:22
CW Live speaks with Amol Mitra, HP ProCurve Director of Marketing for Asia Pacific and Japan. Today's topic: how enterprises are starting to shift away from simply controlling security via server logins, firewalls and moving to more adaptive security frameworks. - +
Data Management Edition #10: Multi-Petascale Systems 02/05/2008 09:12:33
This week we look at sustainability and the development of multicore technologies to build multi-petascale systems. - +
IT Security Edition #11: How to poison the Storm botnet 01/05/2008 08:51:55
This week CW Live presents a case study on how to poison the notorious Storm botnet . Plus we take a look at Cisco's plans for Ironport. - +
IT Security Edition #10: Cyber-battles fought and won 24/04/2008 11:09:47
Vendors bow to end user pressure to improve product security, and we take a look at the latest concepts shaping the cyber-battlefield of the future.
Virtual magic: HR specialist throws out 40 servers, adds 8TB SAN and saves $100,000 for disaster recovery 2008-12-01 15:28:00+11
Sybiz adds up for SMEs in downturn 2008-12-01 14:27:00+11
EXCOM scores back-to-back award trifecta 2008-12-01 10:46:00+11
Citect extends SCADA networks with mobility solutions 2008-12-01 09:48:00+11
Citect extends SCADA networks with mobility solutions 2008-12-01 09:48:00+11
Best Practice in Building an Integrated Information Management Strategy
Discover the business value that creating an integrated information platform can bring. Learn how to provide consistent, accurate information to all stakeholders within your business network. Integrate vital data from disparate sources and deliver a trusted information foundation. Read on to uncover the stepping-stones to your new information management strategy.
Buying Guides
