Understanding Layer 2 switch port security

Safe Switch

Man-in-the-Middle Attack

A man-in-the-middle attack, an advanced version of MAC spoofing, also lets the attacker receive data intended for the victim. The attacker simultaneously relays the messages to the victim, so the victim does not know anyone else is listening. The beauty of this type of attack is that all users can access the network as usual and neither the source nor the destination node have any indication of the attack. If an attacker pretends to be an Internet gateway, all traffic flows through the attacker's device; he or she can observe every connection, look into the packet contents, and analyze users' behaviors. Even with SSL encryption, commonly used in Internet connections, attackers have found ways to work around the protection through social engineering. For example, the attacker could send phishing email to the victim that appears to come from a familiar website.

In addition to enabling surveillance, this kind of attack allows the attacker to change the network's entire traffic pattern (Figure 8). Changes in the traffic path can also bypass the enterprise firewalls and causes LAN hosts to lose virus and malware protection. The attacker may also redirect the traffic by using a rogue DNS server to a fake web server that will collect private information.

Figure 8: The attacker spoofs the gateway's MAC address to cheat the switch sending all Internet traffic. Ettercap can support this type of attack.

Port Security

To protect the MAC address table from attack, you can enable the port security feature [4] on a switch so that only authorized MAC addresses are allowed to attach to the switch. I will use Cisco IOS as an example here.

To change the switch port to access mode and enable the port security feature, you use the following commands:

Switch(config)#interface FastEthernet 0/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security

Then, statically add the authorized MAC address to the port.

Switch(config-if)#switchport port-security mac-address ABCD.EF00.0001

From now on, only the host with a MAC address equal to ABCD.EF00.0001 can attach to the switch port FastEthernet 0/1. If any hosts with unauthorized MAC addresses are plugged in to the port, an error message appears, and the port will be put into an errdisable state. No traffic is allowed to pass through until the network administrator resets the port.

However, an enterprise network may have thousands of network ports. The network administrator will be late for lunch logging in to the switch and resetting the port every time someone plugs in an unauthorized device. You can tell the switch to reset the port automatically after some predefined time:

Switch(config)#errdisable recovery cause psecure-violation
Switch(config)#errdisable recovery interval 600

sticky

Configuring MAC address entries may be another reason why a network administrator is late for lunch. Compared with one-by-one manual input, sticky is a more scalable setting. By enabling the port security sticky feature at the switch port, the switch will automatically add the first MAC address that connects the port to the configuration file. Use the following command to enable sticky:

Switch(config-if)#switchport port-security mac-address sticky

In some situations, you may need to configure port security to allow more than one MAC address to connect to a port. For example, you may need to add a small switch temporarily for a group of users to share a port. If so, you'll need to increase the maximum accepted MAC addresses for the port that will connect to this new switch from a default value of 1 to the number of connected devices. Remember that the switch itself will need to communicate with other switches, so the total number of new MAC addresses should be the number of hosts plus one.

Switch(config-if)#switchport port-security maximum 5

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Spanning Tree Protocol
    Ethernet is so popular because it simply works and is inexpensive. However, the administration side looks a bit more complicated: For the network to run smoothly, the admin might need to make important decisions about the Spanning Tree protocol.
  • Segmenting networks with VLANs
    Network virtualization takes very different approaches at the software and hardware levels to divide or group network resources into logical units independent of the physical layer. It is typically a matter of implementing secure strategies. We show the technical underpinnings of VLANs.
  • DDoS protection in the cloud
    OpenFlow and other software-defined networking controllers can discover and combat DDoS attacks, even from within your own network.
  • Kali Linux is the complete toolbox for penetration testing
    The Kali Linux distribution is a complete toolbox for penetration testing.
  • Arp Cache Poisoning and Packet Sniffing

    Intruders rely on arp cache poisoning to conceal their presence on a local network. We'll show you some of the tools an attacker might use to poison the arp cache and gather information on your network.

comments powered by Disqus