Port Security

(OBJ 3.2)

Port Security

• A network switch feature that restricts device access to specific ports based on MAC addresses
• Enhances network security by preventing unauthorized devices from connecting

Network Switches

• Networking devices that operate at Layer 2 of the OSI model
• Use MAC Addresses for traffic switching decisions through transparent bridging
• Unlike hubs, switches use intelligence to prevent collisions on networks
  • Each port is inside its own collision domain
  • Efficiently prevent collisions, operate in full duplex mode
    • Means that a port can both send and receive data at the same time without a negative effect
• Remember connected devices based on MAC addresses
  • This way they can forward traffic only to the port that is involved inside of a particular conversation
• Broadcast traffic only to intended receivers, increasing security
  • Switches are more efficient and secure than hubs

CAM Table (Content Addressable Memory)

• Stores MAC addresses associated with switch ports
• Vulnerable to MAC flooding attacks, which can cause the switch to fail open
  • Flooding the switch with a bunch of randomized MAC addresses. When this happens, it can overfill the CAM table and the switch will simply fail open and simply begin to act like a hub.
• Enable port security or MAC filtering on the switch ports

Port Security Implementation

• Associate specific MAC addresses with specific interfaces
• Prevent unauthorized devices from connecting by plugging in a cable to the wall jack or switch port
• Example:
  • Only accept MAC addresses from laptops that have been pre-approved by our network admins for that use.
  • Any other address will be rejected and not logically connected
• Can use Sticky MACs for easier setup
  • Persistent (Sticky) MAC Learning
    • Feature in network port security where the switch automatically learns and associates MAC addresses with specific interfaces
    • Dynamically associate the first MAC address that is connected to that switch port as an authorized MAC address, then prevent access from any other MAC address
    • Not a silver bullet to overcome an attack
• Susceptible to MAC spoofing attacks
  • Resetting the MAC address of their own network interface cards to a known good MAC address on your pre-approved list.
• Use a more in depth plan as well
  • 802.1x Authentication
  • Extensible Authentication Protocol

802.1x Authentication

• Standardized framework that provides port-based authentication for wired and wireless networks
• Requires three roles
  • Supplicant
    • The device requesting access to your network
  • Authenticator
    • The device through which the supplicant is attempting to access the network, such as a switch, a WAP or a VPN Concentrator.
  • Authentication server
    • Centralized device that performs the authentication, and this is usually going to be configured as a RADIUS or TACACS+ server.
• Utilizes RADIUS or TACACS+ for actual authentication process
• Prevents rogue device access
• 802.1x is a top-notch defense against unauthorized access on the network
  • Best practices for rouge access prevention
  • Because it provides port based authentication, anything that connects to a switch or a WAP, will be required to present itself for authentication using that 802.1x protocol prior to gaining access.
  • Can also be used to encapsulate EAP

RADIUS vs. TACACS+

• RADIUS is cross-platform, while TACACS+ is Cisco proprietary
• TACACS+ is slower because it relies on TCP transport protocol, but offers additional security and independently handles authentication, authorization, and accounting
• TACACS+ supports all network protocols, whereas RADIUS lacks support for some
  • RADIUS does not support the Remote Access Protocol, NetBIOS Frame Protocol, or X.25 PAD connections
• Overall TACACS+ is an excellent choice if we're only using Cisco devices across our entire network. Otherwise RADIUS is the best option for mixed architecture.

EAP (Extensible Authentication Protocol)

• A framework for various authentication methods
  • Not a single protocol by itself
  • Allows for different ways to conduct authentication
  • Includes things like:
    • Simple Passwords
    • Digital Certificates
    • Public Key Infrastructure (PKI)
• Has different variants which have their own features
  • EAP-MD5
    • Uses simple passwords and the challenge handshake authentication process to provide remote access authentication
      • You will have to ensure you are using a long, strong, and complex password in order for you to maintain the security of your system.
    • One-way authentication process
    • Doesn’t provide mutual authentication
  • EAP-TLS
    • Uses Public Key Infrastructure (PKI) with a digital certificate which is installed on both the client and the server
    • Uses mutual authentication
  • EAP-TTLS
    • Requires a digital certificate on the server, but not on the client
    • The client uses a password for authentication
      • Makes it a little bit more secure than the traditional EAP-MD5, which only uses passwords on both sides,
      • but it is considered to be less secure than EAP-TLS, because now we're only using one digital certificate and one password instead of two digital certificates
  • EAP-FAST
    • FAST stands for the Flexible Authentication via Secure Tunneling
    • Uses protected access credential, instead of a certificate, to establish mutual authentication between two devices
  • PEAP
    • "Protected" EAP
    • Supports mutual authentication using server certificates and
    • Active Directory databases to authenticate a password from the client
  • EAP-LEAP
    • Cisco proprietary and limited to Cisco devices
    • Stands for the Lightweight EAP.

Integration for Network Security

• Combining port security, 802.1X, and EAP enhances network security
• Ensures only authenticated and authorized devices can access sensitive resources