There are two categories of network ports, physical and virtual. Physical network ports are connection points for cables, such as Ethernet and USB cables, that allow computers, switches, firewalls, and other devices to connect to the network physically. Virtual network ports are numerical identifiers that enable different applications to share the same physical connection. For example, DHCP uses port numbers 67 and 68 to send UDP packets between the client and the DHCP server.
This blog looks at securing physical network ports on a switch.
Physical network port security is focused on preventing unauthorized access to the port and controlling traffic through the port. Securing physical switch ports involves implementing six essential security measures: physically and logically limiting access to the port, protecting against rogue devices, restricting traffic through the port, protecting traffic through the port, and checking that the port is operating correctly.
Physically prevent access to the port
To prevent the switch from being tampered with, access to the physical switch should be restricted by installing it in a locked closet or enclosure. In addition, specialized devices called RJ45 port locks can prevent unauthorized people from inserting cables into unused ports to gain network access.
Logically prevent access to the port
Switch ports that are not in use should be placed in the “shutdown” state. Ports in a shutdown state will not pass traffic even if a cable is physically connected to the port. Switch ports that are in use should be configured with port-level security to prevent unauthorized access.
There are two common ways to prevent unauthorized access. The first is restricting the MAC addresses permitted to connect to a specific port. This prevents devices with unauthorized MAC addresses from connecting to the network. The second is to implement 802.1X port-based authentication, where the device connected to the port must be authenticated before the device can request an IP address and send data over the network.
If a device with an unauthorized MAC address connects to the switch port or fails 802.1X authentication, the port blocks traffic from that device. The port can also be configured to take specific action, for example, log a violation, send a network alert, or place the port in a shutdown state.
Administrators commonly configure switch ports by remotely connecting to the switch using either a Command Line Interface (CLI) over Secure Shell (SSH) or a web-based GUI over HTTPS. Administrators should be authenticated using RADIUS or TACACS+ before making switch configuration changes. Role-based access Control (RBAC) can be used to define the level of configuration changes an administrator can make.
Pro Tip:
Switches typically have a console port, allowing administrators to connect directly to the switch for initial configuration. If remote access to the switch is down, an administrator needs local access to the console port to make configuration changes. Therefore, the console port should NOT be placed in a shutdown state. Instead, secure the console port with a strong password and RBAC.
Protect against rogue switches and DHCP servers
Spanning Tree Protocol (STP) ensures only one path between switches by disabling redundant links. If an attacker connects a cable from a rogue switch to a legitimate switch port, STP reevaluates paths across the network, disrupting network operations and potentially causing network outages. Switch access ports should be configured to prevent connected rogue switches from sending Bridge Protocol Data Units (BPDU) messages and being part of the STP process. This configuration option is commonly called BPDU Guard or BPDU Protection.
Dynamic Host Configuration Protocol (DHCP) servers allocate IP addresses and provide network information, such as default gateways, to devices connecting to the network. If an attacker connects a DHCP server to a switch port, it can assign invalid IP addresses, causing the device to have connectivity problems or redirect traffic to the attacker’s device.
DHCP Snooping is a security feature that configures ports as “trusted” if they connect to legitimate DHCP servers, and blocks DHCP offer messages on “untrusted” ports. DHCP Snooping also maintains a table of valid client IP–MAC address associations and uses this information to validate DHCP response messages. Invalid DHCP response messages are dropped. These two techniques prevent rogue DHCP servers from offering invalid IP addresses and prevent invalid DHCP messages from reaching the client.
Pro Tip:
BPDU Guard can be enabled on an individual port interface or globally for all switch ports. DHCP can be enabled per port interface, per VLAN, or globally.
Restrict traffic through the port
VLANs allow devices physically connected to the same switch to be logically grouped. For example, engineering devices can be placed on VLAN 10, finance department devices can be placed on VLAN 20, and web servers can be placed on VLAN 30. Traffic cannot go from one VLAN to another without going through a layer 3 switch or a router. Firewalls and Access Control Lists (ACLs) can then be used to enforce security policies for communications between VLANs.
Ports that connect endpoint devices like desktop computers are configured to support a single VLAN and are called access ports. Switch ports that connect to other switches or routers are typically configured to support multiple VLANs and are called trunk ports.
ACLs control the type of traffic permitted or denied through a port. ACLs can be applied to:
- Layer 2 VLANs, abbreviated as VACLs. VACLs can permit or deny traffic between devices in the same VLAN and filter unicast, multicast, or broadcast traffic.
- Layer 3 switches (or routers) are called RACLs. RACLs can permit or deny traffic between devices on different VLANs and filter traffic through the port based on IP addresses, protocols, or port numbers. RACLs restrict access to specific network services and resources. For example, devices on VLAN 10 can only communicate with HTTPS port 443 application servers.
Pro Tip:
Place management traffic, such as network configuration and alerts, on a separate VLAN. Use ACLs to control access to the management network. Using a separate VLAN allows management traffic to be prioritized over other types of traffic and makes it harder for attackers to access the organization’s network control systems.
Protect traffic through the port
MACsec can protect layer 2 Ethernet frames at the switch port, providing confidentiality, integrity, and replay protection at the data link layer. MACsec authenticates and encrypts frames when they leave the port, and decrypts and authenticates frames when they arrive at the port.
MACsec protects traffic between directly connected devices. For example, between the user device and a switch access port, or switch-to-switch trunk ports. MACsec is defined in the IEEE 802.1AE standard, and typically uses 802.1X for authentication and MACsec Key Agreement (MKA) to exchange keys. MACsec protects the payload; it does not protect the MAC header.
Pro Tip:
If the switch provides layer 3 routing capabilities, IPsec can be configured on routed ports or Switch Virtual Interfaces (SVIs). IPsec protects IP packets, providing both encryption and message authentication. It can be used to protect traffic between different VLANs. IPsec is performed in the routing engine in the switch, not at the physical switch port. It is not discussed further in this blog.
Verify that the ports are operating correctly
After configuring the switch port security settings, it is essential to implement operational controls to enforce port security policies and monitor for security violations. Four main areas should be prioritized: continuous port monitoring, detailed switch log analysis, real-time alerts for security violations, and periodic port security audits to ensure ongoing compliance.
Port monitoring typically uses Simple Network Management Protocol (SNMP) to report switch information such as port status, port errors, and bandwidth utilization to a central Network Management System (NMS). Network administrators can respond in real-time to port changes that may indicate an attack using SNMP traps and alerts.
Flow analysis is another essential part of port monitoring. Flow analysis can look at the traffic through a switch port in real time and detect abnormal behaviors such as port scans. Many network vendors have developed proprietary implementations of flow analysis. Examples are CISCO NetFlow, HP sFlow, and Juniper Networks J-Flow.
Switch logs capture port activity such as ports up/shutdown status changes, unauthorized MAC addresses, and MAC address changes. Analyzing log activities can help identify security violations. Switch logs can be integrated into a central Security Information and Event Management (SIEM) system to facilitate network-wide threat detection.
Port security audits verify that the current port security measures are configured correctly and functioning as expected. An audit is essentially a snapshot of the current port security settings. The audit report should list the port configurations, security violations, and recommended changes.
Pro Tip:
Each switch port maintains a set of counters measuring traffic, such as the number of frames received, transmitted, dropped, and errored. Some counters measure security violations, such as how often a device with an unauthorized MAC address attempts to connect to the port. In an audit, these counters provide quantifiable data on whether the port security settings are effective
What you should do after reading this blog
After reading this, you should:
- Identify the types of switches in your organization’s network.
- Review your organization’s port security policies for edge, distribution, and backbone switches, and note how these policies differ.
- Identify whether the port security mechanisms discussed in this blog are part of your organization’s port security policies.
- Examine the security alerts in your NMS and SIEM systems and ensure switch ports are sending all relevant data.
- Determine when the last port security audit was conducted and identify any recommendations that have not been implemented.
