Network blocking

From Security Wiki
Revision as of 20:55, 16 August 2007 by Abe (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

draft - jd

Requirements for detection of changes of hosts connected:

  • recording of timestamp, MAC address, Port
  • How would this work with a hub plugged into a switch port?
  • what methods exist for generating and transmitting this information?


Thoughts on blocking of a user in the network fabric.

MAC Locking?

MAC Locking ensures that only specific MAC addresses can access a port, and that traffic from any other MAC addresses will be discarded. SDSC would take advantage of MAC Locking to prevent more than one user from accessing a port at a given time.

How is MAC Locking implemented?

To take effect on a port, mac port locking must be enabled at the device level. You can do this only by logging onto the switch and executing command line . Perhaps in the future it can be automanted.


Port locking?

There are two kinds of MAC Locking: Dynamic and Static. When you enable Dynamic MAC Locking on a port, the next MAC address that authenticates or accesses the port (up to the maximum number of dynamic locked MAC addresses allowed) will have exclusive access to that port from that time on. Static MAC Locking lets you create a list of locked MAC addresses for a port so that the port only accepts traffic from those MAC addresses. MAC Locking is only available on devices that support it, and is not allowed on trunk ports.


What are the results of a port being blocked?

The options used by Cisco for equipment SDSC has installed is restrict or shutdown which may include a time interval to reset the port to normal. a number of mac address can be set with either dynamic learned or static (assigned) mac address.

Assuming a static mac address assigned to a port, and shutdown is selectd. We will set he timer for 5 min. When the normally assigned user for that port connects to the port all is well. If some other mac address is recongnized a SNMP notification is sent and the port is set to disable. In five minutes the port is reenabled and the process starts over.

SNMP message is sent to the configured trap device. Not sure what the message looks like at this time. Dont have a trap host set up but will do some checking with intermapper (SDSC standard network monitoring tool) to see how it works and how it might be forwarded to other hosts or applications (like to SDSC syslog server).

Vilolations can be cleared either automaticlly or manually.


Different configuraitons on floor or computer room switches will need to be implemented to assist troubleshooting. Port security is new and not expected to be installed and which could slow down the troubleshooting process.

Note: Im told Cisco has made change to some parts of this but have not researched the changes of implementation. jd

Retrieved from "https://security.sdsc.edu/mediawiki/index.php?title=Network_blocking&oldid=2151"