Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1916
Views
10
Helpful
2
Replies

uplink endpoint

Go to solution
suthomas1
Level 6
Level 6

‎08-09-2021 07:50 AM

Good day,

Apart from ISE taking care of endpoint security, can it be used by any means to secure switch uplink ports or ports where servers may be connected.

 

Thank you.

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎08-09-2021 03:42 PM

What kind of security are you looking to provide for uplink ports? NAC is mainly intended to secure switchport connections that are patched out to the floor and accessible from common users (or threat actors that gain access to the floor). It is not intended to provide security for switch uplinks that are typically physically secured behind locked doors in a comms room.

Server operating systems typically have limited support for active authentication protocols like 802.1x, so you're limited to using MAC-based authentication (which is easily spoofed). Profiling might be possible, but servers do not typically provide much unique information to the network that can be used by profiling to provide any effective level of security. I normally recommend customers move any servers they have on the floor to a virtual environment that cannot easily be physically accessed by a normal user or threat actor.

View solution in original post

2 Replies 2

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎08-09-2021 08:41 AM

yes can be done profiling using ISE. ( you can segment Server connected ports).

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎08-09-2021 03:42 PM

What kind of security are you looking to provide for uplink ports? NAC is mainly intended to secure switchport connections that are patched out to the floor and accessible from common users (or threat actors that gain access to the floor). It is not intended to provide security for switch uplinks that are typically physically secured behind locked doors in a comms room.

Server operating systems typically have limited support for active authentication protocols like 802.1x, so you're limited to using MAC-based authentication (which is easily spoofed). Profiling might be possible, but servers do not typically provide much unique information to the network that can be used by profiling to provide any effective level of security. I normally recommend customers move any servers they have on the floor to a virtual environment that cannot easily be physically accessed by a normal user or threat actor.

Customers Also Viewed These Support Documents