Port Security is a traffic control feature on Cisco switches that operate in layer 2. It allows an administrator to configure specific switch ports to permit only a specified number of source MAC addresses. One of its primary uses is to prevent “dumb” switches to be added to illegally expand the reach of the network. When these unmanaged devices are added, troubleshooting is complicated. The Port Security feature remembers the Ethernet MAC address which is connected to the switch port and then only permits that single MAC address. Any other MAC addresses that try to use that specific port will be disabled.
While enabling this feature can increase security, it has the disadvantage of only allowing the network administrator to unlock it. This can cause issues in circumstances that require changing devices due to legitimate reasons. Port Security can be started by issuing the ‘Switch(config)# interface f0/13 Switch(config-if)# switchport’ port-security command on an interface.
Besides using the Port Security feature, there are also other ways to secure a switch. By physically securing a switch, you can prevent unauthorized personnel from operating them. This can be achieved by locking the devices in the room and having video surveillance of the area. Next, setting up an adequate password as well as changing it at regular intervals can be of great help. Also, the console port can be set with a timeout value. HTTP servers are enabled by default, however, can be disabled. Rogue trunks must also be addressed. By configuring the switch to access mode, a rogue device cannot be plugged in and turned into a trunk port. CDP can also be used as an attack vector, so to disable it, the ‘no cdp run’ command should be entered.
The guard root feature will further enhance security by preventing intruders from sabotaging or changing the root bridge role. With this enabled, if someone plugs a switch into this port and make themselves the root bridge, the switch will instead place this port into the blocking state. Finally, DHCP attacks can cause numerous issues and provide the means for a man in the middle attacks via rogue DHCP servers. To prevent this, DHCP Snooping can defend against these malicious users by telling the switch which ports the DHCP server is connected to and building a table of all DHCP requests and offers. This information is then used to determine malicious intent.
References:
Davis, David. (2007). Lockdown Cisco switch port security. Retrieved from http://www.techrepublic.com/blog/it-security/lock-down-cisco-switch-port-security-88196/.
Stretch. (2010). Port Security. Retrieved from http://packetlife.net/blog/2010/may/3/port-security/.
Securing The Universe 