Traditional Switch Port Security

Previous:
Overview

Layer 2 managed switches can typically implement port security which consists of checking incoming packets for a matching MAC address.

If a packet with a valid MAC address is received on a particular port then the switch will allow that packet to pass through the switching fabric of the switch as normal.

If a packet with an invalid MAC source address is received on the switch port then that packet is dropped by the switch and is not allowed to proceed any further and this therefore provides a basic level of security as only traffic from the user defined MAC address is allowed on that port.

With this method it is therefore possible to easily implement basic port security against a potential intruder from removing the original device and replacing it with a device designed for network intrusion or from cutting the cable that went to the original device and connecting this cable to their own network intrusion device to gain access to the network.

This level of protection is common amongst most layer 2 managed switches on the market today and indeed all ComNet managed switches support this capability as standard.

This feature is referred to by many names including (but not limited to) the following:

  • Port Locking
  • MAC Locking
  • Port Security
  • MAC Filtering

What’s Wrong With Traditional Switch Port Security?

The issue with the traditional Layer 2 MAC filtering/locking as previously described is that it can be defeated with relative ease in a matter of minutes by using readily available software which can artificially alter the MAC address of the sender to match whatever the potential intruder wants. In the example below the intruder will alter the MAC address of their laptop to use the same MAC address of the authorised camera and gain access to the network.

How Would The Intruder Know What MAC To Spoof?

So how would a potential intruder know the MAC address of the camera (in this example) in order to be able to spoof that address from their laptop and gain network access?

This could be done in several ways but one simple way could be to use a low cost network tap device so the camera is briefly unplugged and then connected to the tap and then quickly re-connected to the network again. The operator would see video loss for some seconds but would unlikely put this down to a potential intruder if it was even noticed at all.

How Does Port Guardian Prevent Such Intrusions?

At the basic level Port Guardian works as a layer 1 protection system so the actual data being sent on the port is not important and the switch does not need to know anything about it. Port Guardian constantly monitors the enabled ports and as soon as it detects that a cable has been unplugged or there is a link down event that port will be immediately disabled and the network administrator notified via an SNMP alert (and optionally by a local contact relay if supported on the particular switch model) to the potential intrusion.

What Happens After Port Guardian Locks Out A Port?

Once Port Guardian has been triggered on a certain port then that port is in a permanent lock out condition and will appear to be dead to the potential intruder (no LED’s or anything will work on that port). The port will remain in this lock out condition even if the original legitimate device is re-connected. The lock out state can only be cleared by the network administrator through one of 4 possible methods as outlined below:

  • SNMP Reset Command Issued
  • Reset Via Web GUI
  • Port Guardian Reset Command Issued From The Local USB Serial Port CLI
  • A Contact Input Is Closed (only available on models that have contact inputs)

The contact input method is user configurable and is not enabled by default.

What about cycling power to the switch? This is another user configurable option. The port lock out states can be set to clear on a power cycle or they can be set to go into lock out condition in the event of a power cycle (this would be the most secure option).

So How Can I Use Port Guardian In My Networks?

There are really two distinct ways to use the Port Guardian feature and the correct implementation depends on how secure the location is where your remote ComNet edge switch (with Port Guardian feature) is located. An outline description and visual example of both scenarios follows.

Edge Switch In Secure Location Scenario

If your ComNet edge field switch is installed within a secure location then you would not be as concerned about an intruder gaining access to the physical switch itself so you could enable Port Guardian just on the ports where you have edge devices connected that are physically located outside of the secure location and not enable Port Guardian on the uplink port(s) which are part of the secure network. In this scenario you could also set the option to have a power cycle clear any locked out ports as again you would not be as concerned with a potential intruder being able to power cycle the switch itself.

Below is an example of this.

Edge Switch In Unsecure Location Scenario

If your ComNet edge field switch is installed within an unsecure location (such as at the base of a camera column etc) then you would be concerned about an intruder gaining access to the physical switch itself to potentially access the network.

There are 2 possible options for system configuration in this case as follows:

  1. Enabling Port Guardian on all the ports of the edge switch and setting the power cycle option to force port lock out. This would offer protection on all ports however the downside is if there was a power failure the only way to gain access to the switch again would be to send an engineer to the switch itself to reset it via the USB serial port CLI.
  2. Using switches at both sides of the system that have the Port Guardian feature. The switch at the field side would have it enabled only on the ports with edge devices connected while the switch at the head end would have it only enabled on the uplink port that connects to the field edge switch. This offers full protection and allows recovery after a power failure as 1 port will always have access as Port Guardian will not be enabled.

Which ComNet Products Have The Port Guardian Feature?

The following is a list of ComNet products which have the exclusive Port Guardian feature, with more ComNet products to be released with the Port Guardian feature going forward.

If you have an immediate application and the products you have selected do not support Port Guardian, please contact your sales manager to discuss if we are able to add this feature to the product(s) that you require.

Model CNGE2+2SMS Series

Model CNGE4+2SMS Series