7.11 8260 Ethernet Security Daughter Card
The 8260 Ethernet Security Card (E-SEC) is a daughter card that allows you to
provide security on any Ethernet network to which this card is attached. You can
install this card on any Ethernet media module or the 8260 DMM with Ethernet
Carrier (EC-DMM).
Note
Security features provided by this card are only applicable to the Ethernet
ports on the 8260 modules. Therefore, this card cannot be used to provide
security for the Ethernet ports on the 8250 modules installed on your 8260,
even if they are assigned to the Ethernet network protected by the Ethernet
security card.
Once assigned to an Ethernet network, the E-SEC card can be used to provide
the following security features for that network:
•
Intrusion protection
This feature allows only the authorized users for each port to transmit data
on that port. If an unauthorized user is detected on a port, the E-SEC card
may be configured to perform one or more of the following:
− Report the time and port on which the intrusion took place along with the
MAC address of the intruder.
− Jam the intruder′s port so that the intruder is not able to exchange data
with the other stations on the network.
− Disable the port to which the intruder is connected.
Authorized users on each port are known to the E-SEC card via the
network
security address table
. The contents of this table can be created and/or
modified using
manual
and/or
auto-learning
procedures as described in
7.11.2, “Configuring the Security Module” on page 124.
Each entry in the network security address table contains the 8260 slot and
port number as well as the MAC address of the station authorized to
transmit data on that port. You may define as many authorized users as you
wish for each port. However, the total number of users defined for each
network, that is the total number of entries allowed in the network security
address table is limited to 1,000 entries.
Note: When performing intruder protection, you may configure the E-SEC
card to either check only the MAC address of the sending adapter, or both
the MAC address and the port to which the sending station is attached.
•
Eavesdropping protection
This feature prevents unauthorized users from examining the contents of
packets destined for another port by preventing all the nodes except the
intended recipient from receiving the packets transmitted on the network.
This enables you to ensure that unauthorized network tracing tools will not
be able to listen and trace the network traffic.
Note that the eavesdropping and intrusion protection functions can be enabled or
disabled separately for each port. Also, various ports on a single network may
have different security settings. For example, in a single network, some ports
may have both eavesdropping and intrusion protection enabled, while other
Chapter 7. 8260 Ethernet Modules 121