One of the projects that I’m currently working on is a large network that is in place strictly as the backbone for a IP based security system. This network is a fairly typical two layer network, with a core in the small datacenter that we are building, and distribution switches out in smaller locations around the perimeter of the secured area.
One of the issues that arose during the selling of the project was securing the network itself (it’s sad that we brought it up, but then again most physical security types have very little understanding of networks, so it’s not that unusual). Within the datacenter I’m not as concerned about the physical security of the networking devices, but at the outside edges I am.
My concern is not so much the switches themselves (though we do a lot of security configuration on them as well), but rather on the lack of security of the cabling and endpoints connected to the switches at each location.
Each of these locations has a number of IP based security cameras, access control devices, access points, relay controllers, etc, plugged into a switch. While the theory is that we’d notice anyone doing something nefarious to these devices, or the cable that connects them to the switch, we wanted to make sure that nothing could get onto the network that shouldn’t be there. Or at least have a higher comfort level that it couldn’t happen unnoticed.
So how do you make sure that nobody swaps a laptop for the camera on the end of the cable, or that someone doesn’t add drop a hub in between the camera and the switch so that they can add their own devices to the network?
In our case, since we are using Cisco switches for the project, instead of the usual junk that security companies put in place for most IP networks, we are able to take advantage of the Cisco Port Security feature.
Basically, what port security does is to keep track of the devices on a switchport, and if something happens that shouldn’t, the port is turned off. Granted, that is a very basic explanation, but you get the point.
There are some limitations as to what kind of port you can apply port security to, but as they don’t apply to the ports that I’m looking at I’m not going to get into those here. Suffice it to say that it’s mostly an issue of SPAN ports and Trunks.
The basic configuration of port security on a switchport is very simple:
Ciscoswitch(config-if)# switchport port-security
That enables port-security on the switchport you are configuring. In it’s default mode, port-security allows 1 MAC address, which is the first connected MAC address, and disables the port if there is a violation of port-security.
In our case, we are being a bit more specific:
Ciscoswitch(config-if)# switchport port-security
Ciscoswitch(config-if)# switchport port-security max 1
Ciscoswitch(config-if)# switchport port-security mac-address 1111.2222.3333
What we have added there is to define that only 1 MAC address can be on that port at a time (prevents hubs and spliced in machines from getting on the network) and that only the device with MAC address 1111.2222.3333 can use that port.
Any violations of that rule will shutdown the port and send an SNMP Trap to the operations center, alerting the staff there to the problem.
So that is how we make sure that no devices are added to or changed on the edge switches of the network.
Well, that’s most of it actually, I’ll be covering the second part of this next.