If you’re planning to take the Security+ SY0-501 exam, you should understand how to install and configure network components to support organizational security. This includes basic network devices such as switches that can learn which computers are attached to each of its physical ports.
For example, can you answer this question?
Q. Your organization has a dedicated classroom used for teaching computer classes. Students include internal employees and visiting guests. Security administrators recently discovered that students were unplugging the network cable from some classroom computers and plugging the network cable into their laptop computers, giving them access to network resources. Which of the following is the BEST solution to prevent this activity?
A. Flood guard
B. VLAN
C. Port security
D. Loop protection
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
Networks connect computing devices together so that users can share resources, such as data, printers, and other devices. Any device with an IP address is a host, but you’ll often see them referred to as clients or nodes.
A common use case for a switch is to connect hosts together within a network. A common use case for a router is to connect multiple networks together to create larger and larger networks.
When discussing the different network devices, it’s important to remember the primary methods IPv4 uses when addressing TCP/IP traffic:
• Unicast. One-to-one traffic. One host sends traffic to another host, using a destination IP address. The host with the destination IP address will process the packet. Most other hosts will see the packet, but because it isn’t addressed to them, they will not process it.
• Broadcast. One-to-all traffic. One host sends traffic to all other hosts on the subnet, using a broadcast address such as 255.255.255.255. Every host that receives broadcast traffic will process it. Switches pass broadcast traffic between their ports, but routers do not pass broadcast traffic.
Security Benefit of a Switch
You really need to know is why basic networking is relevant in security. If an attacker installed a protocol analyzer on a computer attached to another port, the protocol analyzer would not capture unicast traffic going through the switch to other ports.
In contrast, if the computers were connected with a simple hub, the attacker could capture it because unicast traffic goes to all ports on a hub. This is the main security reason why organizations replace hubs with switches. The switch reduces the risk of an attacker capturing data with a protocol analyzer. Of course, switches also increase the efficiency of a network.
Port Security
Port security limits the computers that can connect to physical ports on a switch. At the most basic level, administrators disable unused ports. For example, individual RJ-45 wall jacks in an office lead to specific physical ports on a switch. If the wall jack is not being used, administrators can disable the switch port. This prevents someone from plugging in a laptop or other computer into the wall jack and connecting to the network.
MAC address filtering is another example of port security. In a simple implementation, the switch remembers the first one or two MAC addresses that connect to a port. It then blocks access to systems using any other MAC addresses. You can also manually configure each port to accept traffic only from a specific MAC address. This limits each port’s connectivity to a specific device using this MAC address. This can be very labor intensive, but it provides a higher level of security.
Physical Security of a Switch
Many switches have a console port that administrators can use to monitor all traffic. Unlike the normal ports that only see traffic specifically addressed to the port, the monitoring port will see all traffic in or out of the switch. This includes any unicast traffic the switch is internally switching between two regular ports. The monitoring port is useful for legitimate troubleshooting, but if the switch isn’t protected with physical security, it can also be useful to an attacker.
Physical security protects a switch by keeping it in a secure area such as in a locked wiring closet. Physical security ensures that attackers don’t have physical access to the switch and other network devices.
Loop Prevention
In some situations, a network can develop a switching loop or bridge loop problem. The effect is similar to a broadcast storm and it can effectively disable a switch. For example, if a user connects two ports of a switch together with a cable, it creates a switching loop where the switch continuously sends and resends unicast transmissions through the switch. In addition to disabling the switch, it also degrades performance of the overall network.
This is trivial for many network administrators because most current switches have Spanning Tree Protocol (STP) or the newer Rapid STP (RSTP) installed and enabled for loop prevention. However, if these protocols are disabled, the switch is susceptible to loop problems. The simple solution is to ensure that switches include loop protection such as STP or RSTP.
Spanning Tree Protocol also protects the network against potential attackers. For example, imagine an attacker visits a conference room and has access to RJ-45 wall jacks. If loop protection isn’t enabled, he can connect two jacks together with a cable, slowing network performance down to a crawl.
Q. Your organization has a dedicated classroom used for teaching computer classes. Students include internal employees and visiting guests. Security administrators recently discovered that students were unplugging the network cable from some classroom computers and plugging the network cable into their laptop computers, giving them access to network resources. Which of the following is the BEST solution to prevent this activity?
A. Flood guard
B. VLAN
C. Port security
D. Loop protection
Answer is C. Port security is the best solution. More specifically, the switch ports used by the classroom computers should be configured to only allow the media access control (MAC) addresses of the corresponding classroom computers.
A flood guard blocks MAC flood attacks, but this scenario doesn’t indicate any attack is in progress.
A virtual local area network (VLAN) segments traffic, but wouldn’t prevent students from connecting to the network in this scenario.
Loop protection protects against switching loop problems, but this is unrelated to this question.
See Chapter 3 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide for more information on basic networking concepts.