In order to secure physical access to our network, we can use two methods:
– Port-security (Securing our ports via MAC address)
– Port-based authentication (Securing our ports via 802.1x protocol)
A MAC address is an address that identifies a network card.
This address is UNIQUE in the world.
So we're going to use these addresses to allow a customer on a port or not.
There are three types of reactions if a customer shows up with an unauthorized mac address:
The port will go into ERR-DISABLE mode. There must be human action to restore this port to working ("shutdown" / "no shutdown" on the interface in question). The switch keeps track of this violation.
The port will drop all the frames received by this MAC address. It will always process frames with an authorized MAC address. The switch keeps track of this violation.
Same as the "restrict" mode except that the switch does not keep track of security breaches.
Activation of the "port-security"
Switch (config)#interface FastEthernet 0/1 Switch (config-if)#switchport port-security
Switch (config-if) - switchport port-security mac-address 0000.0000.0001 Switch (config-if) - switchport port-security mac-address 0000.0000.0002 Switch (config-if) - switchport port-security mac-address 0000.0000.0003 Etc..
Switch (config-if) - switchport port-security mac-address sticky Switch (config-if) - maximum port-security switchport 10
10 MAC addresses will be learned dynamically by the Sticky.
Switch (config-if) - switchport port-security violation [shutdown|restrict|protect]
Switch show port-security
This command shows the status of ports using "port-security"
Switch show interfaces status err-disabled
This command shows us the ports in "err-disable" mode.
To restore an "err-disable" port to working, remove unauthorized equipment from the port and then make:
Switch (config) - FastEthernet X/X interface Switch (config-if) - shutdown Switch (config-if) no shutdown
Weakness of the port-security
The port-security secures access to our network via the MAC address.
This MAC address is easily changeable…
In order to prove the weakness of this security, let us put ourselves in the shoes of a malicious person.
A malicious person wants to connect to our network. So he's going to have to take someone's place to make sure the port is open and to be in a functional Vlan.
To do this it will unplug a customer from the network in order to make a point to point with the latter.
1 – Using Wireshark software, it will learn the customer's IP address and MAC address.
2 – It will assign itself the IP address of the customer.
3 – It will assign the customer's MAC address through Technitium software.
All that remains is to connect to the network and the trick is played!!
Port-security is a method of securing access to the network.
It's not the best, but it's better than nothing!
This solution is easy to implement. An average user is not going to bother looking for a solution to illegally connect to your network. A malicious person will take 5 minutes to connect to it.
For a sensitive network, look to the "Port-Based Authentication"
Hoping this article has been helpful to you! Don't hesitate to let me know!!
This site has other network items, take the opportunity to browse the menu bar!