Home of The Fire Monkey

By Fire Monkey  on Tue 21 of Sep., 2004 15:18 EDT

If you're a Cisco shop, and you're looking to go to a IP telephony solution, seriously consider Cisco's. They're really doing some nice stuff, including device authentication (certificates on the phones), voice call encryption (128-bit AES), and other neat stuff like disabling GARP on the phone's PC port. They're Network Admission Control (NAC) and "self-defending network" stuff is nice too. It's all 802.1x-based, so no more MAC-based authentication. You logon to the actual layer 2 network, which logs you on to the domain. Other neat stuff:

• ) DHCP snooping: the switch sees a DHCP lease and then locks that leased IP to the port that requested it.
• ) The new Cisco Security Agent prevents dumb users and dumb software from doing dumb things.
• ) NAC code is being integrated into anti-virus software (Trend, Symantec, McAfee) so that the anti-virus software can validate your virus signatures and OS patches to the network before you're allowed to talk. If you fail, you get thrown into network quarantine (perhaps you can connect to the Internet to get patches, perhaps you can get nowhere, it's the admins choice).
• ) Security zones: ACLs on all the switches so that if you 802.1x into the "web designer" group, you can only access systems in the "web designer" ACL group. All automated, all 802.1x.
• ) If you plug into a port, and you're not 802.1x authenticated, you get nowhere, or maybe you get dropped onto a "guest" network.

All of this integrates with the wireless network, too. Combine 802.1x with WPA and SecurID, and you'll sleep much better at night, instead of having nightmares about your wireless infrastructure.