5.5 MAC Addressing

To this point we have primarily discussed availability within the switched portion of the network. While availability is an important part of network security, protection against unauthorized intrusion is equally important. A properly configured switch can assist in this type of protection as well. If an administrator can prevent an attacker from plugging directly into network, it will be that much more secure.

Most networks have several unused ports on their switches. These ports are potential security holes, as anyone can plug into an unused network jack and have access to your network. One solution is to disable all unused ports, and then enable/disable them as needed. This solution is problematic for two reasons:

1. It takes time away from network administrators who have to constantly enable/disable ports on switches. This is especially true if you have several conference rooms at your location. Every time someone is having a meeting, he or she will need a network jack activated.

2. Someone must remember to disable the ports after meetings. If the port it not disabled, anyone who happens to wander by the conference room can use it.

A better solution is to restrict access to a port by MAC address. Most switches support this feature, which will not allow a port on a switch to forward traffic unless it has the mapped MAC address. In general, this is a good security protocol to implement for networks that are relatively static. If users remain primarily plugged into one network jack, then binding a MAC address to a port will prevent an attacker from unplugging someone's machine, and plugging their own in, in hopes of using the active network jack to gain network access.

For areas, such as conference rooms, that have a lot of transient traffic, mapping the MAC address to a port provides a level of security. Only the person who requested access to the port would be able to send data from the port, until the next request comes in and the MAC address changes. This may not be an optimal security solution, but it is a good balance between not allowing any network access to transient areas, and allowing everyone to have network access.

MAC address security is especially important for the core switches. Because that part of the network should be very stable, with very few devices being added or removed, all ports not in use should be disabled, and MAC address security should be enabled on all used ports.

Enabling MAC address security is a relatively simple task. The switch knows the MAC address of the device connected to it, so it can set the address automatically. On a Cisco 5000 switch, it is a couple of lines of code. If you want to use the MAC address that the switch has learned from the network device:

 Core1> (enable) set port security 2/23 enable  Port 2/23 port security enabled with the learned mac address. 

Alternatively, if you would prefer to set a MAC address:

 Core1>(enable)set port security 2/20 enable xx-xx-xx-xx-xx-xx  Port 2/20 port security enabled with xx-xx-xx-xx-xx-xx as the secure  mac address. 

Before implementing MAC address security, be sure to check with your vendor to see if it is supported on the lower end workgroup switches. A lot of entry level managed switches do not support this feature, which is a shame, because the access level is often where it is most needed.

Enabling port security may have the added benefit of finding out if anyone is using unauthorized equipment on your network. The first 24 bits (three octets) of a MAC address indicate the manufacturer of the network card. If a network is fairly homogenous, then the first 24 bits of all MAC addresses should be the same. If there are discrepancies, it may signal that some employees are using network or company resources for unauthorized purposes.

Another reason MAC address security is so important is the way in which switches forward traffic. If two network devices with the same MAC address appear on different ports on the same switch, some switches will forward traffic to both ports. Altering a MAC address to mirror another address is a trivial task. If the switch you are using does forward traffic to both ports, then an attacker is not only able to see all traffic destined for the compromised machine, but can also use the information to learn the network topology. The more familiar an attacker is with the network topology, the easier it will be for that attacker to launch a successful break in.

A second flaw in some switch architectures is that a switch will initially act like a hub. Rather than sending traffic directly to its destination port, when a switch is first added to the network, or when the ARP cache is full, the switch will broadcast traffic to all ports, allowing anyone with a sniffer to monitor the traffic being passed across the network. As expected, there are tools available that will allow an attacker to flood a switch with MAC addresses, thus filling the ARP table of the switch, and forcing it to refresh. While the ARP table is refreshing, incoming and outgoing traffic is again broadcast allowing the same attacker with a sniffer to continue to gather data about your network.

Bonding a specific MAC address to a port can stop both of these attacks. MAC address security is commonly overlooked as a way to protect switches from unauthorized access. While there is some administrative overhead associated with this type of security, it is worth it when compared to the possibilities if an attacker gains access to one of your switches.