If you’re planning to take the SY0-401 version or the SY0-501 version of the Security+ exam, you should have a basic understanding of secure network administration principles, including deploying switches securely.
For example, can you answer this question?
Q. Your organization has several switches within the network. You need to implement a security control to prevent unauthorized access to these switches. Which of the following choices BEST meets this need?
A. Disable unused ports.
B. Implement an implicit deny rule.
C. Disable STP.
D. Enable SSH.
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
Switches
A switch can learn which computers are attached to each of its physical ports. It then uses this knowledge to create internal switched connections when two computers communicate with each other.
Consider the figure below. When the switch turns on, it starts out without any knowledge other than knowing it has four physical ports. Imagine that the first traffic is the beginning of a TCP/IP conversation between Lisa’s computer and Homer’s computer.
Switch
When Lisa’s computer sends the first packet, it includes the MAC address of the destination computer. However, because the switch doesn’t know which port Homer’s computer is connected to, it forwards this first packet to all the ports on the switch.
Included in that first packet is the MAC address of Lisa’s computer. The switch logs this information into an internal table. It then directs any future traffic addressed to Lisa’s MAC address to port 1, and port 1 only.
When Homer’s computer receives the packet, it responds. Embedded in this return packet is the MAC address of Homer’s computer. The switch captures Homer’s MAC address and logs it with port 4 in the internal table. From here on, any unicast traffic between Lisa’s and Homer’s computers is internally switched between only ports 1 and 4. Switches will internally switch unicast traffic. However, they pass broadcast traffic to all ports.
Port Security
Port security limits the computers that can connect to physical ports on a switch. At the most basic level, administrators disable unused ports. For example, individual RJ-45 wall jacks in an office lead to specific physical ports on a switch. If the wall jack is not being used, administrators can disable the switch port. This prevents someone from plugging in a laptop or other computer into the wall jack and connecting to the network.
MAC address filtering is another example of port security. In a simple implementation, the switch remembers the first one or two MAC addresses that connect to a port. It then blocks access to systems using any other MAC addresses. You can also manually configure each port to accept traffic only from a specific MAC address. This limits each port’s connectivity to a specific device using this MAC address. This can be very labor intensive, but it provides a higher level of security.
Remember this
Port security includes disabling unused ports and limiting the number of MAC addresses per port. A more advanced implementation is to restrict each physical port to only a single specific MAC address.
Flood Attacks and Flood Guards
A MAC flood attack attempts to overload a switch with different MAC addresses associated with each physical port. You typically have only one device connected to any physical port. During normal operation, the switch’s internal table stores the MAC address associated with this device and maps it to the port. In a MAC flood attack, an attacker sends a large amount of traffic with spoofed MAC addresses to the same port.
At some point in a MAC flood attack, the switch runs out of memory to store all the MAC addresses and enters a fail-open state. Instead of working as a switch, it begins operating as a simple hub. Traffic sent to any port of the switch is now sent to all other switch ports. At this point, the attacker can connect a protocol analyzer to any port and collect all the traffic sent through the switch.
Many switches include a flood guard to protect against MAC flood attacks. When enabled, the switch will limit the amount of memory used to store MAC addresses for each port. For example, the switch might limit the number of entries for any port to 132 entries. This is much more than you need for normal operation. If the switch detects an attempt to store more than 132 entries, it raises an alert.
The flood guard typically sends a Simple Network Management Protocol (SNMP) trap or error message in response to the alert. Additionally, it can either disable the port or restrict updates for the port. By disabling the port, it effectively blocks all traffic through the port until an administrator intervenes. If it restricts updates, the switch will use currently logged entries for the port, but ignore attempts to update it. All other ports will continue to operate normally.
Another flood guard supported by some switches is a setting for the maximum number of MACs supported by a port. Most ports will typically have this set to 1 to support only a single MAC address. However, consider a virtual machine (VM) running within a physical host. If the VM is set to bridged, it can access the network using the physical host’s NIC, but with the MAC address of the VM. In this scenario, the Maximum MAC setting should be set to 2.
Q. Your organization has several switches within the You need to implement a security control to prevent unauthorized access to these switches. Which of the following choices BEST meets this need?
A. Disable unused ports.
B. Implement an implicit deny rule.
C. Disable STP.
D. Enable SSH.
Answer is A. You can prevent unauthorized access by disabling unused physical ports on the This prevents the connection if someone plugs their computer into an unused disabled port.
An implicit deny rule is placed at the end of an access control list on a router to deny traffic that hasn’t been explicitly allowed, but it doesn’t affect physical ports differently.
Spanning Tree Protocol (STP) prevents switching loop problems and should be enabled.
Secure Shell (SSH) encrypts traffic but doesn’t protect a switch.
If you’re studying for the SY0-501 version of the exam, check out the CompTIA Security+ Get Certified Get Ahead: SY0-501 Study Guide.
1 thought on “Switch Security and Security+”