Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
577
Views
0
Helpful
3
Replies

QoS marking at PC - security risk?

Go to solution
mitchell helton
Level 1
Level 1

‎07-30-2012 10:29 AM - edited ‎03-07-2019 08:03 AM

Good afternoon!

We are working on fine tuning our QoS policies and have considered tagging certain traffic at the PC level using Windows Group Policy.  Therefore, the access ports connecting to these devices would trust the tags.

The majority of our users are not local administrators and we will be doing 802.1x port authentication in the near future.  Is this a security concern to create an unconditional trust boundary at the access layer port?  Or am I just being paranoid?

Thanks for your time... I look forward to hearing your thoughts!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎07-30-2012 11:12 AM

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Yes, you do open yourself up to some risk that someone may abuse the QoS trust.

What we done in a similar situation is police special QoS markings at expected normal usage rates.  For example, we allow 300 Kbps (per user port) for EF marked traffic.  Above that, we remark excess to default.  This doesn't preclude someone from using the EF marking for non-realtime traffic, but at least it won't be much abuse.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎07-30-2012 11:12 AM

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Yes, you do open yourself up to some risk that someone may abuse the QoS trust.

What we done in a similar situation is police special QoS markings at expected normal usage rates.  For example, we allow 300 Kbps (per user port) for EF marked traffic.  Above that, we remark excess to default.  This doesn't preclude someone from using the EF marking for non-realtime traffic, but at least it won't be much abuse.

0 Helpful

Go to solution
mitchell helton
Level 1
Level 1
In response to Joseph W. Doherty

‎07-30-2012 11:20 AM

Thanks Joe... that seems like a reasonable approach.

What brought this on was Lync 2010.  We were planning on tagging this traffic as it was leaving PCs, but didn't want a user to be able to abuse this - although it would probably be unlikely.

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to mitchell helton

‎07-30-2012 11:29 AM

Disclaimer

The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.

Liability Disclaimer

In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.

Posting

Yup, it's unlikely, doesn't mean it won't happen. This doesn't mean you need to make sure it can't happen.  Best to consider risk vs. cost.

More of a problem for an instant messaging app, is it also being used (licitly) to transfer large files.  If the platform supports microflow policing, you can target excess use per flow with certain markings.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card