Looking for a switch brand known for security.

[zerophase]

I'd like the cost to be reasonable, and something that can expand out to probably 4 vlans with multiple devices connected behind each. Performance definitely matters. Is there a pretty good switch out there, with awesome dd-wrt support, which I can turn into a much more expensive switch through that software?

I've heard more than enough IT professionals claim Cisco is not very secure. Which brands should I be looking at for security, performance, and reliability?

 

[L&LD]

Cisco is not secure? Who said that?

 

[CaptainSTX]

Are you looking for a router or a switch? Normally you find DD-WRT running on routers.

If all you are looking for is VLANs those can easily be setup on reasonably inexpensive TP-Link smart switches.

How many LAN ports do you need and how many if any of those ports need to be faster than gigabit? How many ports need to be POE?

 

[zerophase]

Cisco is not secure? Who said that?

Have had tons of severe security vulnerabilities from firmware and hardware design decisions. I won't trust them since they've worked with the NSA, while not legally required to. It's them putting in US government backdoors that makes me think there are probably more to be found.

Backdoors Keep Appearing In Cisco's Routers

Five different backdoors were found in Cisco's software this year, and Cisco's history with backdoors goes back many years.

www.tomshardware.com

Cisco – Schneier on Security

www.schneier.com

 

[zerophase]

Are you looking for a router or a switch? Normally you find DD-WRT running on routers.

I'm looking for a switch. I just mentioned DD-WRT as it has a lot of the features I need in a switch. There might be a cheap switch that gets upgraded to the equivalent of a $2k switch if DD-WRT supports it.

If all you are looking for is VLANs those can easily be setup on reasonably inexpensive TP-Link smart switches.

How many LAN ports do you need and how many if any of those ports need to be faster than gigabit? How many ports need to be POE?

I’m looking to lock down my network by segregating all of my computers in case someone gets in. I had picked up one of these, and found it a bit lacking for the price. Wasn't aware it was ten years old, and the web gui was so lacking. (FireFox 5.0.1 was not fully supported) I'm fine in the command line, but would prefer a webgui for getting the switch up and running, and then go to CLI for more advanced features, and locking security down. I also don't completely trust Cisco, as they've had issues with back doors.

All of the computers behind it need at least gigabit. I would like jumbo frames support, and the ability to bond two ethernet connections on a few. I’ll have gigabit internet, and probably upgrade that. These machines don’t need to communicate between each other mostly, though. I might want to use a few for distcc, but I don’t believe going above gigabit would improve performance for that.

vlan wise I need at least six. I’m splitting up to ten computers into different vlans, (maybe more) and will have a GT-AX11000 behind one of the vlans with my personal computer and entertainment stuff connected through it. I have a cheap switch connected to the router for expanding to more devices that don't need all that much bandwidth. The second VLAN is for a honey pot running on a Raspberry Pie. The third vlan is for a Qubes system.

The fourth vlan will have at least two computers, but probably up to ten eventually. I might split the ten computers into multiple vlans depending on what each gets used for. Network performance needs low latency for these machines. On the fifth vlan I’ll have at least one raspberry pie running a node for a search engine, and might expand that up to multiple Raspberry Pies or even a server eventually. Having support for a sixth vlan just seems like a good idea for growth of the network.

I should not need POE.

Currently, looking at Netgear. How does this compare to their more expensive models? What features am I lacking for that severe price drop?

This switch is going to be what's directly connecting to my modem, and acting as a firewall too. Any models with quality firewalls built in? Should I have another machine and vlan for running a third party firewall? How many ports would you recommend I get?

 

[thiggins]

It sounds like you need a Layer 2 managed switch, which should be pretty secure. Change the admin password to a strong one when you install it and you should be fine. You won't be able to mess with the firmware and won't be able to add firewall or Layer3 features. You don't want that anyway if you want it to be secure.

I would not bother with jumbo frame support. Today's Ethernet adapters don't need it and enabling it can sometimes degrade performance.

The NETGEAR Nighthawk switch is not a good choice. It's a dumbed-down device aimed at gamers.

Look at TP-Link TL-SG108E

8-Port Gigabit Easy Smart Switch

8-Port Gigabit Easy Smart Switch, Plug and Play, Intelligent Management, Desktop, Wall-Mounting, Sturdy Metal Casing, Shielded Ports, Green Technology, Gigabit

www.tp-link.com

 

[CaptainSTX]

Look at TP-Link TL-SG108E

I have two of these switches in my network setup and in looking at the switch's firmware I don't see anyway that this switch would function correctly in a network without a router. What the OP says he wants to do is connect the recommended switch directly to the modem and acting to his firewall and also the switch would need to have the ability to act as his DHCP server. I suppose there might be an updated firmware that could do this but nothing even close is possible in the versions of the firmware that I'm running.

 

[thiggins]

@CaptainSTX Sorry, missed that part of the OP's requirements. That would require, at minimum, a Level 3 switch. I have no experience with them, so can't advise, but it seems like an unnecessary complication to me. Maybe @Trip can comment.

 

[CaptainSTX]

@CaptainSTX Sorry, missed that part of the OP's requirements. That would require, at minimum, a Level 3 switch. I have no experience with them, so can't advise, but it seems like an unnecessary complication to me. Maybe @Trip can comment.

That is why I bowed out of trying to address the OPs needs. No experience trying to make a network function without a router or by using a Level 3 switch and have it handle the functions normally handled by a router.

 

[Trip]

@zerophase - Based on what you've written thus far, it appears you're looking for a high-power router/firewall with integrated switching. You might want to think about an x86 box loaded up with multi-NIC cards running something like pfSense or OpenWRT. L3 switching won't be offloadable but with enough CPU power and PCI lanes, the box would probably be able to software-route enough local traffic for your needs...

That said, what precisely is keeping you from running a dedicated wired router/firewall in combination with a discrete managed switch? Such a setup will almost always be more robust, more flexible and higher performance from the sum of the parts. Example: x86 pfSense firewall + HPE or Juniper switch (L2 or L3).

 

[zerophase]

Ended up going with a MikroTik CRS354-48G-4S+2Q+RM with a DEC850 as the router / firewall.

 

[coxhaus]

Cisco switches are very secure but they do not contain firewalls at least the ones you can afford so you would not want to connect them to a modem. You would need a router and of course Cisco makes very good routers.

Backdoors to switches sounds like you don't understand networking. First you have to go through the router's firewall to access the switch. This seems clumsy to me.

Be careful with Mikrotik as they are currently being brought into a large botnet.
MikroTik shares info on securing routers hit by massive Mēris botnet (bleepingcomputer.com)

 

[ddaenen1]

Why would you need a "secure" switch when it is placed behind a decent router that has a properly configured firewall? Probably i don't know enough about advanced networking but it still feels that if you have a secure door to access the house, no need to bother if the doors inside are locked.

 

[zerophase]

In case of bugs or vulnerabilities that allow getting through the router. I also disabled all remote access to the router. I'm being paranoid with security, and am creating an onion with multiple fail safes, at the router, switch, and OS level. Will be paying for a security audit as well. I want to make sure if anyone gets in they get stuck somewhere and detected before accessing any sensitive data.

I don't trust Cisco as they've worked with the NSA, while not being legally required to.