CCNP Security (SENSS) - PORT SECURITY - Lesson # 03
PC1 & PC2 connected to the switch and they can communicate
without any interruption. No delay in the network. Switch knows about the MAC
addresses for both PCs and network connection is working smoothly.
Let’s say now, Kali box is plugged into a switch port and
send a bogus MAC address attack to the switch. For testing the port security we
used a Kali box. But you can use any device which can send a bogus MAC addresses
to switch. Here Kali using ‘MACOF’ utility to send that MAC addresses.Now switch is getting 1000 of MAC addresses. When receiving
so many MAC to the switch, it cannot remember all the MAC. CAM (Content Addressable
Memory) table in the switch cannot handle those MAC addresses. It goes unknown
state and forward that frame to all other ports.
When switch forwards the frames related to the VLAN to other
ports, then Kali box can see all the frames in the VLAN because switch is
forwarding frames to other ports in switch under the same VLAN. This is a kind
of CAM table overflow attack. So, how do we rectify this attack? Let’s see.
Port security. We can limit the MAC addresses which coming
to switch port. Let’s say we configured as 5. Once the switch port received 5
MAC addresses and exceeded that limit, we can take actions. These violation
actions are P/R/S/S. Default max MAC address is one. We can configure below
option by enabling port security.
Protect – Switch will only memorized first 5 MAC addresses. After
that switch is not going to memorize other MAC addresses which coming to switch
port. But after doing that we cannot notice it because PROTECT option is not provided
any syslog or SNMP messages. No alerts but done the job. Normally we don’t use
protect as a violation action because we want to know once violation happens.
Restrict – Same thing done like protect but send alerts. But all
the switches are not supporting all those features. It will depend on the
hardware.
Shutdown – This is the default behavior. When 5 is configured, and
if it receive 6th one, the switch port will shutdown. And it also
provides alerts.
Shutdown – last option is also shutdown. But not to the interface,
it will shutdown the VLAN.
In port security we have three modes. (Dynamic, Static,
Sticky)
- Dynamic – Switch port will learn about the MAC address dynamically when device is connected to the port.
- Static – We can hardcode the MAC address of the device which going to connect to the switch port. If we have the option port security and configured the static, once receive any frame related to another MAC, the switch port will take actions due to security violation. But we have a problem when 100 devices having the network. Then it is not practical to configure all 100 as static. We cannot configure all MAC addresses in the switch.When we configured the thing, it will store in running-config. Then we use WR to copy that running config into startup config. Then static MAC address copied to startup config or we can store them in the NVRAM of the switch.
- Sticky – if we have 100 PCs, not practical to configure all the MAC addresses. When configured sticky under port security, switch will learn about the MAC addresses by dynamically and put them into running config. And then we can put it into startup config. Once the switch reboot, it will learn about all the MAC addresses in the network.
Port security, we can set it for access or trunk port but
these ports should be static access ports or trunk ports. Port security is not
worked for dynamic port. Port must be willing to work as either way as access
or trunk port.
When configured as trunk, through that trunk so many MAC
addresses will pass through. Here we can configure the port security under VLAN
keyword. We can limit the MAC address coming to the trunk port or enable one
VLAN to pass the frames through the trunk port.
We have another option called aging. When dynamically
learning about the MACs, we can set a time that how long that MAC addresses can
stay and secure. Then takes violation actions. If we want to age those MAC out
of the CAM table, we have additional options like inactive timeout and absolute
time outs.
Post a Comment