Network blocking

From Security Wiki
Revision as of 18:25, 12 February 2007 by Dombrowh (talk | contribs)
Jump to navigationJump to search

Blocking Network Ports Jay Dombrowski 2-8-07


Brain Storming (no particular order)

What is MAC Locking?

MAC Locking ensures that only specific MAC addresses can access a port, and that traffic from any other MAC addresses will be discarded. SDSC would take advantage of MAC Locking to prevent more than one user from accessing a port at a given time.


What at the types of port locking?

There are two kinds of MAC Locking: Dynamic and Static. When you enable Dynamic MAC Locking on a port, the next MAC address that authenticates or accesses the port (up to the maximum number of dynamic locked MAC addresses allowed) will have exclusive access to that port from that time on. Static MAC Locking lets you create a list of locked MAC addresses for a port so that the port only accepts traffic from those MAC addresses. MAC Locking is only available on devices that support it, and is not allowed on trunk ports.


How is MAC Locking implemented?

To take effect on a port, mac port locking must be enabled at the device level. You can do this only by logging onto the switch and executing command line . Perhaps in the future it can be automanted.


What are the results of a violation?


The options used by Cisco for equipment SDSC has installed is restrict or shutdown which may include a time interval to reset the port to normal. a number of mac address can be set with either dynamic learned or static (assigned) mac address.

Assuming a static mac address assigned to a port, and shutdown is selectd. We will set he timer for 5 min. When the normally assigned user for that port connects to the port all is well. If some other mac address is recongnized a SNMP notification is sent and the port is set to disable. In five minutes the port is reenabled and the process starts over.

SDNMP message is sent to the configured trap device. Not sure what the message looks like at this time. Dont have a trap host set up but will do some checking with intermapper (SDSC standard network monitoring tool) to see how it works and how it might be forwarded to other hosts or applications (like to SDSC syslog server).


Vilolations can be cleared either automaticlly or manually.


Will want to think about having class types to making configuration easier. Default might be as discribed in my example above or two dyanamic learn address in some offices (or not).

Servers for sure would be only one mac address.

Keep in mind that different proceedures will need to be implemented to assist troubleshooting since port security is new and not expected to be installed and will probably slow down the troubleshooting process.

jd

Retrieved from "https://security.sdsc.edu/mediawiki/index.php?title=Network_blocking&oldid=1662"