Layer 2 managed switches can typically implement port security which consists of checking incoming packets for a matching MAC address.
If a packet with a valid MAC address is received on a particular port then the switch will allow that packet to pass through the switching fabric of the switch as normal.
If a packet with an invalid MAC source address is received on the switch port then that packet is dropped by the switch and is not allowed to proceed any further and this therefore provides a basic level of security as only traffic from the user defined MAC address is allowed on that port.
With this method it is therefore possible to easily implement basic port security against a potential intruder from removing the original device and replacing it with a device designed for network intrusion or from cutting the cable that went to the original device and connecting this cable to their own network intrusion device to gain access to the network.
This level of protection is common amongst most layer 2 managed switches on the market today and indeed all ComNet managed switches support this capability as standard.
This feature is referred to by many names including (but not limited to) the following:
The issue with the traditional Layer 2 MAC filtering/locking as previously described is that it can be defeated with relative ease in a matter of minutes by using readily available software which can artificially alter the MAC address of the sender to match whatever the potential intruder wants. In the example below the intruder will alter the MAC address of their laptop to use the same MAC address of the authorised camera and gain access to the network.
So how would a potential intruder know the MAC address of the camera (in this example) in order to be able to spoof that address from their laptop and gain network access?
This could be done in several ways but one simple way could be to use a low cost network tap device so the camera is briefly unplugged and then connected to the tap and then quickly re-connected to the network again. The operator would see video loss for some seconds but would unlikely put this down to a potential intruder if it was even noticed at all.
At the basic level Port Guardian works as a layer 1 protection system so the actual data being sent on the port is not important and the switch does not need to know anything about it. Port Guardian constantly monitors the enabled ports and as soon as it detects that a cable has been unplugged or there is a link down event that port will be immediately disabled and the network administrator notified via an SNMP alert (and optionally by a local contact relay if supported on the particular switch model) to the potential intrusion.
Once Port Guardian has been triggered on a certain port then that port is in a permanent lock out condition and will appear to be dead to the potential intruder (no LED’s or anything will work on that port). The port will remain in this lock out condition even if the original legitimate device is re-connected. The lock out state can only be cleared by the network administrator through one of 4 possible methods as outlined below:
The contact input method is user configurable and is not enabled by default.
What about cycling power to the switch? This is another user configurable option. The port lock out states can be set to clear on a power cycle or they can be set to go into lock out condition in the event of a power cycle (this would be the most secure option).
There are really two distinct ways to use the Port Guardian feature and the correct implementation depends on how secure the location is where your remote ComNet edge switch (with Port Guardian feature) is located. An outline description and visual example of both scenarios follows.
If your ComNet edge field switch is installed within a secure location then you would not be as concerned about an intruder gaining access to the physical switch itself so you could enable Port Guardian just on the ports where you have edge devices connected that are physically located outside of the secure location and not enable Port Guardian on the uplink port(s) which are part of the secure network. In this scenario you could also set the option to have a power cycle clear any locked out ports as again you would not be as concerned with a potential intruder being able to power cycle the switch itself.
Below is an example of this.
If your ComNet edge field switch is installed within an unsecure location (such as at the base of a camera column etc) then you would be concerned about an intruder gaining access to the physical switch itself to potentially access the network.
There are 2 possible options for system configuration in this case as follows:
The following is a list of ComNet products which have the exclusive Port Guardian feature, with more ComNet products to be released with the Port Guardian feature going forward.
If you have an immediate application and the products you have selected do not support Port Guardian, please contact your sales manager to discuss if we are able to add this feature to the product(s) that you require.
Model CNGE2+2SMS Series
Model CNGE4+2SMS Series