S 4.206 Protection of switch ports

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

Depending on the protection requirements of a network, it is often desirable that only certain trusted clients have access to the network. For this purpose, many switches offer a number of options for preventing access to the network even when a hacker has, for example, gained access to a network connection box.

MAC address notification

Many switches provide options for logging any changes to the MAC address connected to a port. This option may not provide access control, but it can be important in detecting attacks. For example, a message can be sent to the administrator whenever a MAC address changes.

MAC locking

The most widespread method of protecting switch ports is the so-called MAC locking. At the switch, it is specified that only clients with certain MAC addresses (with just one single MAC address in extreme cases) are allowed to access a particular physical port of the switch. If the switch received an Ethernet frame with a different MAC address, this is not forwarded to the network, but is rejected. In this manner, relatively good levels of protection can be achieved in "static" networks.

However, maintaining the relevant tables is time-consuming. Therefore, it does not make sense to use MAC locking in the event of larger installations. In addition, MAC locking offers no protection against attackers who have discovered a permitted MAC address and then use this address on connecting their devices (see also T 5.113 MAC spoofing).

IEEE 802.1X

The IEEE 802.1X standard is described as a method that can be used to implement a location-based network access control for LAN and WLAN. Before an IT system is granted access to a network configured according to IEEE 802.1X, the new device (referred to as "supplicant" in the standard) must log on to an authenticator.

The authenticator is usually a network switching element, i.e. a switch, router or WLAN access point, for instance. The authenticator checks the transmitted authentication data using an authentication server (often a RADIUS server) and, depending on the result of this check, grants access to the network or rejects it. Without successful authentication, IP-based communication is not possible.

In order to ensure that a port-based authentication can be performed, the Extensible Authentication Protocol (EAP, RFC 3748) is used within the 802.1X IEEE standard. This protocol is not a separate authentication procedure, but a frame in which the actual authentication procedures (EAP types) are embedded. The 802.1X standard does not say anything about which actual EAP method should be used. EAP supports a series of authentication methods so that passwords, certificates or two-factor authentication procedures can be used depending on the protection requirements of the information.

In the meantime, approx. 40 EAP methods are known. They include, for example, EAP-TLS, EAP-TTLS, EAP-PEAP, EAP-FAST, EAP-MSCHAPv2, EAP-LEAP, EAP-MD5. Additional EAP methods are described in the IEEE 802.1X standard and in the Secure WLAN technical guideline from BSI.

In general, for larger installations it makes sense to implement EAP user authentication according to IEEE 802.1X. Due to the known security problems such as vulnerabilities to man-in-the-middle and/or dictionary attacks, EAP-MD5 and EAP-LEAP should no longer be used. In addition, it is also recommended to install a strong port-based access control, e.g. using EAP-TLS, in a network with high protection requirements regarding confidentiality.

Other procedures

Depending on the manufacturer, there are also other procedures for implementing access control at switch ports. For example, one option is to have users log on via a web interface. In this case, a web server runs on the switch and forwards the authentication data entered to an authentication server. However, it must be noted that the web server running on the switch may itself generate new threats.

In the case of equipment which supports the IEEE 802.1X standard or other procedures for access control, it is also important to specify the default status in which a port is usually found.

If a port-based access control is to be set up, it is necessary to clarify, when planning the use of the switches, whether both the switch itself and the envisaged clients will support the relevant logs and authentication methods. It is also necessary to test in advance whether the clients, switches and authentication servers interact smoothly with each other. The security policy and the operating instructions for the active network components should document the procedures to be used and the default settings.

Review questions:

© Federal Office for Information Security. All rights reserved.