adam's notes

Port Security

  • Access to the physical switch ports and switch hardware should be restricted to authorized staff
    • To accomplish this
      • place the switch appliances in secure server rooms and/or lockable hardware cabinets
      • switch port that the wall port cabling connects to can be administratively disabled

Port security is preventing a device attached to a switch port from communicating on the network unless it matches a given MAC address or other protection profile.

Implementing Port Security

Disable Unneeded Switch Ports

  • switch port can be disabled by:
    • using management software
    • isolated to a VLAN with no route to the network
      • sinkhole VLAN
    • physically remove the patch cable
  • on a Cisco switch,
    • these settings will be applied using a switchport command or subcommand
  • these options do not provide complete protection, and have lots of administrative overhead
  • so there are better ways to ensure port security

MAC Filtering

MAC filtering is applying an access control list to a switch or access point so that only clients with approved MAC addresses can connect to it.

  • can be done by
    • creating a static lock list of valid MAC addresses
    • or specifying a limit to the number of permitted addresses
      • this dynamic method is referred to as sticky MACs or MAC limiting
  • weakness:
    • Restricting access by MAC address is difficult to manage and prone to spoofing
  • Better security is obtained by forcing computers and/or users to authenticate before full network access is granted

Port States

  • if a host tries to connect with a MAC address that violates policy,
    • switch port enters a violation state:
      • protect mode
        • means the port drops frames from the invalid source address
          • but keeps the interface open otherwise
        • can only be used with sticky MACs
      • Restrict mode
        • drops frames and logs and alerts violations
        • keeps the interface open
      • Shutdown mode
        • disables the port and sends alerts
        • must be manually re-enabled
          • using no shutdown command
        • default mode

Port-Based Network Access Control

Graph View

Backlinks