Using Port Security to Mitigate Attacks In this topic, you will learn about the issues to consider when configuring port security on a switch. Key port security Cisco IOS commands are summarized. You will also learn about configuring static and dynamic port security. Port
Security A switch that does not provide port security allows an attacker to attach a system to an unused, enabled port and to perform information gathering or attacks. A switch can be configured to act like a hub, which means that every system connected to the switch can potentially view all network traffic passing through the switch to all systems connected to the switch. Thus, an attacker could collect traffic that contains usernames, passwords, or configuration information about the systems on the network. All switch ports or interfaces should be secured before the switch is deployed. Port security limits the number of valid MAC addresses allowed on a port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses. If you limit the number of secure MAC addresses to one and assign a single secure MAC address to that port, the workstation attached to that port is assured the full bandwidth of the port, and only that workstation with that particular secure MAC address can successfully connect to that switch port. If a port is configured as a secure port and the maximum number of secure MAC addresses is reached, a security violation occurs when the MAC address of a workstation attempting to access the port is different from any of the identified secure MAC addresses.
Secure MAC Address TypesThere are a number of ways to configure port security. The following describes the ways you can configure port security on a Cisco switch: Static secure MAC addresses: MAC addresses are manually configured by using the switchport port-security mac-addressmac-address interface configuration command. MAC addresses configured in this way are stored in the address table and are added to the running configuration on the switch. Dynamic secure MAC addresses: MAC addresses are dynamically learned and stored only in the address table. MAC addresses configured in this way are removed when the switch restarts. Sticky secure MAC addresses: You can configure a port to dynamically learn MAC addresses and then save these MAC addresses to the running configuration. Sticky MAC Addresses Sticky secure MAC addresses have these characteristics: When you enable sticky learning on an interface by using the switchport port-security mac-address sticky interface configuration command, the interface converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses and adds all sticky secure MAC addresses to the running configuration. If you disable sticky learning by using the no switchport port-security mac-address sticky interface configuration command or the running configuration is removed, the sticky secure MAC addresses remain part of the running configuration but are removed from the address table. The addresses that were removed can be dynamically reconfigured and added to the address table as dynamic addresses. When you configure sticky secure MAC addresses by using the switchport port-security mac-address sticky mac-address interface configuration command, these addresses are added to the address table and the running configuration. If port security is disabled, the sticky secure MAC addresses remain in the running configuration. If you save the sticky secure MAC addresses in the configuration file, when the switch restarts or the interface shuts down, the interface does not need to relearn these addresses. If you do not save the sticky secure addresses, they are lost. If sticky learning is disabled, the sticky secure MAC addresses are converted to dynamic secure addresses and are removed from the running configuration. If you disable sticky learning and enter the switchport port-security mac-address sticky mac-address interface configuration command, an error message appears, and the sticky secure MAC address is not added to the running configuration.
Security Violation Modes It is a security violation when either of these situations occurs: The maximum number of secure MAC addresses have been added to the address table, and a station whose MAC address is not in the address table attempts to access the interface. An address learned or configured on one secure interface is seen on another secure interface in the same VLAN. You can configure the interface for one of three violation modes, based on the action to be taken if a violation occurs. The figure presents which kinds of data traffic are forwarded when one of the following security violation modes are configured on a port:
protect: When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred.
restrict: When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. In this mode, you are notified that a security violation has occurred. Specifically, an SNMP trap is sent, a syslog message is logged, and the violation counter increments.
shutdown: In this mode, a port security violation causes the interface to immediately become error-disabled and turns off the port LED. It also sends an SNMP trap, logs a syslog message, and increments the violation counter. When a secure port is in the error-disabled state, you can bring it out of this state by entering the shutdown and no shutdown interface configuration commands. This is the default mode.
Configure Port Security The ports on a Cisco switch are preconfigured with defaults. The figure summarizes the default port security configuration.
The figure shows the Cisco IOS CLI commands needed to configure port security on the Fast Ethernet F0/18 port on S1 switch. Notice that the example does not specify a violation mode. In this example, the violation mode is set to shutdown.
As stated earlier, you can configure the maximum number of secure MAC addresses. In this example, you can see the Cisco IOS command syntax used to set the maximum number of MAC addresses to 50. The violation mode is set to shutdown by default. Verify Port Security After you have configured port security for your switch, you want to verify that it has been configured correctly. You need to check each interface to verify that you have set the port security correctly. You also have to check to make sure that you have configured static MAC addresses correctly. Verify Port Security Settings To display port security settings for the switch or for the specified interface, use the show port-security [interfaceinterface-id] command.
The output displays the following: Maximum allowed number of secure MAC addresses for each interface Number of secure MAC addresses on the interface Number of security violations that have occurred Violation mode
Verify Secure MAC Addresses
To display all secure MAC addresses configured on all switch interfaces or on a specified interface with aging information for each, use the show port-security [interfaceinterface-id] address command.
{ 0 comments... Views All / Send Comment! }
Post a Comment