Understanding Layer 2 switch port security

Safe Switch

802.1X

Another approach to port security is implemented through the IEEE 802.1X network standard [5], which is a scalable, wired network authentication solution for port-based network access control. As shown in Figure 9, the client device (supplicant) requests to attach to the switch port by using the Extensible Authentication Protocol (EAP). The EAP message includes authentication information such as username, password, MAC address, or even digital certificate. When the switch (authenticator) receives the request, it sends the credential to an authentication server, which may be a Remote Authentication Dial-In User Service (RADIUS) server or an agent that connects to an Active Directory server. Finally, the authenticator allows the request if the provided information is validated.

Figure 9: IEEE 802.1X connection model.

Conclusion

Although wireless connections are very common nowadays, wired networks are still widely used for commercial office networks because of their high speed, stability, and security. The basic design of the wired Ethernet network puts the security on the perimeter and assumes all users on the local network are trusted. An intruder who is able to attach to a switch within the local network can easily gather information for an attack – unless you implement some form of port security. Individual port security configuration should be used on small- to medium-sized networks. For a large network infrastructure, you might want to consider the more scalable 802.1X authentication solution.

The Author

Jan Ho is a network engineer living in Hong Kong. He writes network tutorials at http://jannet.hk.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Spanning Tree Protocol
    Ethernet is so popular because it simply works and is inexpensive. However, the administration side looks a bit more complicated: For the network to run smoothly, the admin might need to make important decisions about the Spanning Tree protocol.
  • Segmenting networks with VLANs
    Network virtualization takes very different approaches at the software and hardware levels to divide or group network resources into logical units independent of the physical layer. It is typically a matter of implementing secure strategies. We show the technical underpinnings of VLANs.
  • DDoS protection in the cloud
    OpenFlow and other software-defined networking controllers can discover and combat DDoS attacks, even from within your own network.
  • Kali Linux is the complete toolbox for penetration testing
    The Kali Linux distribution is a complete toolbox for penetration testing.
  • Arp Cache Poisoning and Packet Sniffing

    Intruders rely on arp cache poisoning to conceal their presence on a local network. We'll show you some of the tools an attacker might use to poison the arp cache and gather information on your network.

comments powered by Disqus