Discussion on:
View:
Show:
Do the ports remember the MAC addresses associated with them after a reboot? And if not, couldn't our notional intruder/salesperson just circumvent it by power-cycling the switch and leaving their laptop plugged in?
Any device to which one has physical access has NO meaningful security. In my book, power cycling a switch comes into this category. Access to the console port at power up gives even less security if that is possible!
If your allowing physical access to your switches, then why are you worried about port access?
No one should be allowed physical access to your switches.
No one should be allowed physical access to your switches.
Yes, if anyone can reboot your switches you have far bigger problems than port security.
No security is perfect, but I think you would want to put up as many obstacles as possible and within reason.
No security is perfect, but I think you would want to put up as many obstacles as possible and within reason.
That's what administrative passwords are for, unless of course you have your switches sitting out in the main lobby
Cisco switches have password recovery and/or bypass processes that are available with physical access to the device!
The switch can remember dynamically learned addresses when the switch is restarted. The command is "switchport port-security mac-address sticky" to enable the learning process.
http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00800d6a38.html
http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00800d6a38.html
Hello people - but have any of you heard/used VMPS? you can secure ports to vlans and by mac address dynamically - u also do not need to worry about employees moving around the office - the vlan and mac address will follow them to the new port. You can shut off ports and all the other secuirty stuff mentioned in this article. Of course a platform that supports VMPS - such as a Catalyst 4000 switch or other is needed. There is also a Unix based VMPS server that also can be used that takes away the need to have a Cisco based vmps server.
Aman is right.
Only use port security if you have a small network or a lot of time. I appreciate the article, but to sell port security as a "lock down" is misleading.
I operate a network w/ ~1000 authorized nodes spanning 9 buildings on a university campus. We used port security for a year when we were trying to tighten down our physical infrastructure... Our helpdesk requests soared for change, move, add requests. Port security is simply mac based, and can be messed up by users trying to use hubs. The switch ports often won't deal w/ second addresses on the secure ports.
We use VMPS at this point. We collect authorized mac addrs into a mySQL DB, use perl scripts to assign them to specific vlans, assign them static IPs in DHCP, update our vmps tables and DHCP configs, push them to a router, voila! lighter load on the helpdesk.
The Problem:
It is no more secure than port security. MAC based security is a waste of time. 802.1x is the future. With VMPS and static DHCP we have the same level of "security" as we would with port security, but have much more automation and flexibility.
We will soon build a solution to implement 802.1x with the same level of automation, but now will use local certs for authorized machines, and MACs only for correct VLAN assignment, etc.
-Demian
Only use port security if you have a small network or a lot of time. I appreciate the article, but to sell port security as a "lock down" is misleading.
I operate a network w/ ~1000 authorized nodes spanning 9 buildings on a university campus. We used port security for a year when we were trying to tighten down our physical infrastructure... Our helpdesk requests soared for change, move, add requests. Port security is simply mac based, and can be messed up by users trying to use hubs. The switch ports often won't deal w/ second addresses on the secure ports.
We use VMPS at this point. We collect authorized mac addrs into a mySQL DB, use perl scripts to assign them to specific vlans, assign them static IPs in DHCP, update our vmps tables and DHCP configs, push them to a router, voila! lighter load on the helpdesk.
The Problem:
It is no more secure than port security. MAC based security is a waste of time. 802.1x is the future. With VMPS and static DHCP we have the same level of "security" as we would with port security, but have much more automation and flexibility.
We will soon build a solution to implement 802.1x with the same level of automation, but now will use local certs for authorized machines, and MACs only for correct VLAN assignment, etc.
-Demian
If you really want true port security, mac addresses is not the way to go. Although it is true that physical access does equal less security I still think there is a way.
Why not use 802.1X on all ports.... if you don't authenticate, the port disables.
Why not use 802.1X on all ports.... if you don't authenticate, the port disables.
Forgive my ignorance, but what is VMPS?
Is it a piece of hardware or a dedicated server, or, something that is built in to my Catalyst 4506 switch!?
Is it a piece of hardware or a dedicated server, or, something that is built in to my Catalyst 4506 switch!?
VLan Management Policy Server - software use to manage switch ports and asign them to VLANs based on MAC address of network devices.
It comes at additional costs and not built-in.
It comes at additional costs and not built-in.
VMPS is something that you shouldn't worry about. It is an old and clunky way of doing things that people that can't figure out 802.1x use...
I know this discussion is about Cisco port security, but this needs to be said. Real switch port security is not just about MAC-locking, but true policy based access to the port dynamically no matter who plugs in where.
By no means is this a Cisco bashing post but yet to make everyone aware of what true port security should be.
Cisco's forte has always been routing, which unfortumately as years have past the IOS has become so bloated that is is starting to attract a lot of individuals that want to exploit the numerous holes in it that you could drive a truck through. That is another whole discussion in itself.
But in the switching arena, Cisco may claim to have 60-70% of the market (another discussion about misleading where sales acutally come from) but they are way behind on the technology. Others out there such as Foundry, Extreme, HP, 3Com, and Enterasys all have much better technology and security. In particular, Enterasys Networks switching and switch/router lines have been ASIC based and security based (Secure-Fast)since the inception back in the Cabletron days. Enterasys actually embeds the security right into the ASIC and firmware and has in my opinion a major lead over Cisco and others in the area of port security.
Enterasys uses true policy-based security all the way down to the port level. What this means is that any user can log into any port on the LAN and once they authenticate the users credentials allow them access to the necessary resources on the local LAN. If a user or vendor tries to plug into any port they don't get access to anything other than a default page that gives them intructions on what to do to obtain authorized access to the LAN. It is totally up to the local LAN administration to determine what the unauthenticated users get. The point is it is fully dynamic. Just about every aspect of a TCP packet you can control. Say you have people in your organization that dont need access to certain TCP/UDP ports on the LAN. The dynamic policy can assign those restrictions when the user logs in, no matter what port they connect to. Sure most all the major players can do MAC-locking as the port level, but to have true security you need true policy-based security in your switching envoronment and Cisco just cannot do that at this time. Sure you can also put in place what Cisco calls additional security such as ACL's but again that is so basic and nothing like true port-based security based on dynamic policy applied at the port level.
It is time for Cisco to get with the program and stop pushing their switching gear on the consumer with limited security and older technology only so they can sell you more hardware down the road as they take baby-steps getting where the rest of the industry is on security. But then they couldn't sell all that hardware that they force you to buy when they EOL something you just bought the year before. I can say this because I have been through it too many times in the last few years. They call it keeping up with technology, but it is really nothng more than Cisco staying in your pocket.
Regards;
By no means is this a Cisco bashing post but yet to make everyone aware of what true port security should be.
Cisco's forte has always been routing, which unfortumately as years have past the IOS has become so bloated that is is starting to attract a lot of individuals that want to exploit the numerous holes in it that you could drive a truck through. That is another whole discussion in itself.
But in the switching arena, Cisco may claim to have 60-70% of the market (another discussion about misleading where sales acutally come from) but they are way behind on the technology. Others out there such as Foundry, Extreme, HP, 3Com, and Enterasys all have much better technology and security. In particular, Enterasys Networks switching and switch/router lines have been ASIC based and security based (Secure-Fast)since the inception back in the Cabletron days. Enterasys actually embeds the security right into the ASIC and firmware and has in my opinion a major lead over Cisco and others in the area of port security.
Enterasys uses true policy-based security all the way down to the port level. What this means is that any user can log into any port on the LAN and once they authenticate the users credentials allow them access to the necessary resources on the local LAN. If a user or vendor tries to plug into any port they don't get access to anything other than a default page that gives them intructions on what to do to obtain authorized access to the LAN. It is totally up to the local LAN administration to determine what the unauthenticated users get. The point is it is fully dynamic. Just about every aspect of a TCP packet you can control. Say you have people in your organization that dont need access to certain TCP/UDP ports on the LAN. The dynamic policy can assign those restrictions when the user logs in, no matter what port they connect to. Sure most all the major players can do MAC-locking as the port level, but to have true security you need true policy-based security in your switching envoronment and Cisco just cannot do that at this time. Sure you can also put in place what Cisco calls additional security such as ACL's but again that is so basic and nothing like true port-based security based on dynamic policy applied at the port level.
It is time for Cisco to get with the program and stop pushing their switching gear on the consumer with limited security and older technology only so they can sell you more hardware down the road as they take baby-steps getting where the rest of the industry is on security. But then they couldn't sell all that hardware that they force you to buy when they EOL something you just bought the year before. I can say this because I have been through it too many times in the last few years. They call it keeping up with technology, but it is really nothng more than Cisco staying in your pocket.
Regards;
Cisco used to have a product called "URT" - User Registration Tool" - It basically controlled user switchports by keeping them in a seperate VLAN until a user authenticated via LDAP or whatever, then URT would move the switchport into the proper VLAN so the user could work on the network. This tool was not only good for port security, but you could set it up to scan the workstation for proper patch levels, etc - I had tested it a couple of years ago and it worked great but never implemented it. Apparently now this product is EOL - Does anyone know if there is a replacement for this? I know 802.1x is the future, but will it contain the features that URT had?
Cisco has a complete NAC product line based on 33xx appliances and the software from their perfigo acquisition several years ago. This solution provides 802.1x like authentication, profiling of workstations and other add-ons such as profiler (which monitors non-802.1x devices for access and behavior) and Guest server.
Yes, as a general rule the MAC address table stores the address for 300 seconds. If the device (in this case a NIC) does not communicate for 300 seconds the switch deletes the address.
As to your second question physical access is always going to be a problem no matter what type of logical security you try to implement on a switch/router so be careful who has access to your device. If you gave me or any other CCNA access to your Cisco device that is password protected we could break it within one minute. Is this a security risk? Yes. Is it a security flaw? No, because the process is simple password recovery and well documented by Cisco.
That being said the dynamic MAC addresses are stored in RAM, but I believe static MAC addresses are stored in NVRAM. Therefore, the dynamic addresses would be erased by power-cycling but the static entries would not.
As to your second question physical access is always going to be a problem no matter what type of logical security you try to implement on a switch/router so be careful who has access to your device. If you gave me or any other CCNA access to your Cisco device that is password protected we could break it within one minute. Is this a security risk? Yes. Is it a security flaw? No, because the process is simple password recovery and well documented by Cisco.
That being said the dynamic MAC addresses are stored in RAM, but I believe static MAC addresses are stored in NVRAM. Therefore, the dynamic addresses would be erased by power-cycling but the static entries would not.
In a large corporation, I can see this being an administrative nightmare, especially one in which there are frequent employee moves. Is there a way to set up a table of MACs on a switch and allow any of these MACs to connect to an port on the switch (in a specific VLAN would really be great)?
As far as sending an SNMP trap when a link is enabled, how would you filter out reboots?
Thanks
As far as sending an SNMP trap when a link is enabled, how would you filter out reboots?
Thanks
Hi PandL,
Anytime you have port security and frequent employee moves you just have to get employees into the habit of contacting the IS dept/Network admin anytime there is a move.
I can see where you could setup an access-list on the switch with a list of MAC's and only allow those MAC's. I haven't tried that but I would think it could be done. Instead, maybe you would want to look at using 802.11x. That would secure connecting to the Ethernet network with a username & password (like a Windows username/password). With that, employees could move wherever they want as long as they have a valid username/password.
I don't know of a way to filter out reboots but hopefully you don't reboot your switches very often.
Thanks for the post & the questions!
David
Anytime you have port security and frequent employee moves you just have to get employees into the habit of contacting the IS dept/Network admin anytime there is a move.
I can see where you could setup an access-list on the switch with a list of MAC's and only allow those MAC's. I haven't tried that but I would think it could be done. Instead, maybe you would want to look at using 802.11x. That would secure connecting to the Ethernet network with a username & password (like a Windows username/password). With that, employees could move wherever they want as long as they have a valid username/password.
I don't know of a way to filter out reboots but hopefully you don't reboot your switches very often.
Thanks for the post & the questions!
David
I'll look into the ACL and 802.11x.
On the reboots, I should have clarified the rebooting of workstations which cause the link status to go down and back up. Sorry about that.
On the reboots, I should have clarified the rebooting of workstations which cause the link status to go down and back up. Sorry about that.
I don?t know the answer to your question, regarding the table. However, I agree with you about the nightmare. Fortunately, one of our administrators wrote a small app that scans our switches for ports that are shutdown. It will then allow you to enable the port or clear the MAC at the click of a button.
I have our interns running this at the Help Desk. Unfortunately, it doesn?t always work and it only works on the CatOS. In this case I have to intervene and bring the port up.
I have our interns running this at the Help Desk. Unfortunately, it doesn?t always work and it only works on the CatOS. In this case I have to intervene and bring the port up.
there's a perl module avaialble called net telnet cisco http://ntci.sourceforge.net/index.php
this allows you to script a bunch of stuff and make a web front end for it. A friend wrote one that allows our help desk to activate and de-activate meeting room ports (which involves clearing the sticky mac and then turning on the port and then disabling the port and also clearing the sticky mac). Email me if you want a copy of the scripts. ko.leslie at gmail dot com
this allows you to script a bunch of stuff and make a web front end for it. A friend wrote one that allows our help desk to activate and de-activate meeting room ports (which involves clearing the sticky mac and then turning on the port and then disabling the port and also clearing the sticky mac). Email me if you want a copy of the scripts. ko.leslie at gmail dot com
Filtering out reboots would not be a problem due to the fact that the mac address table only deletes entries if there is no activity on the port for 300 seconds (5 minutes). The SNMP trap only goes off if another mac address is attempting to use a port when port security is enabled, the max. # of addresses allowed is met, and the port security violation is set to "restrict".
is it possible to secure a port to allow a static IP instead of a MAC address. I heard this could be done using VLANS but I am not sure of the technical aspect or desgin to do.
Really helpful and detailed article for switch-port security
I assume you configure port security to allow 2 MACs if you had an IP phone on the port with the PC attached to the Cisco IP phone?
I use errdisable recovery cause command to bring backup the switchport if the violation is portsecurity mac violations.
Self Healing. What I use portsecurity is for two macs or more. So if someone was to plug a switch into my network somewhere, the port would go down on the second MAC. ie save my bacon, no STP loops ect...
Self Healing. What I use portsecurity is for two macs or more. So if someone was to plug a switch into my network somewhere, the port would go down on the second MAC. ie save my bacon, no STP loops ect...
Having trouble getting port status to secure-up.
Thx for any help
Thx for any help
What happens if I have two devices: An IP Phone on VLAN (voice) 1, and one PC on VLAN 2?
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
