Security options for WRS

Customer question: what security measures are implemented on WRS?. Customer has all switches locked down with “Fortinet”. Now that may not be possible for proprietary reasons, but a minimum acceptable level of security might be a “MAC address whitelist”. ie the switch refuses to talk to any MAC address not in the list. Do we have anything like this?.

I will let others provide details about MAC whitelists and such. I will just tell you how we use WR switches at CERN. A WR switch has 18 WR ports (SFP cages) and one management port (RJ45). The RJ45 port is typically connected to CERN’s Technical Network (TN), which is isolated from the outside world and protected by our colleagues in the IT Department. From the point of view of a user connecting to the management port of a switch inside the technical network, it looks like any Linux system, with the usual security features. The 18 WR ports are used to build completely private networks, not connected at all to the TN. We could be using the WR ports to interface to the TN, but there is really no advantage to doing so, and then we would really have to worry about many other things. WR brings ultimate synchronisation and determinism in a fully-WR network.


there is no straightforward MAC whitelist functionality on the WR switch. You could achieve a similar behavior by disabling the MAC learning mechanism and adding manually MAC entries to the routing table. This is however not a standard configuration feature you could set up in the main WRS configuration file.
As for other security measures, as Javier already mentioned, we focus mainly on the security on the management port, which is the one exposed to the network. In the coming firmware release we will for example add the support for kerberos and LDAP.