Traditional Switch Port Security

With Cybersecurity becoming an increasingly important factor in designing modern Ethernet networks, ComNet have launched an industry first edge security feature that is both simple, secure and easy to configure and use. The ComNet exclusive Port Guardian feature has the capability to physically disable a port if unauthorized access is detected.

The value in Port Guardian comes in situations where network intrusion is attempted by disconnecting an IP addressable device at the edge to connect to the network. When Port Guardian senses this disconnect, an SNMP notification is sent to the head end and the affected port is physically locked out, preventing access. The network administrator can re-enable the port once the threat is eliminated. This feature also thwarts access through ‘Spoofing’ by disabling the port as soon as an interruption is sensed.

Layer 2 managed switches can typically implement port security which consists of checking incoming packets for a matching MAC address.

If a packet with a valid MAC address is received on a particular port then the switch will allow that packet to pass through the switching fabric of the switch as normal.Traditional Switch Port Security

If a packet with an invalid MAC source address is received on the switch port then that packet is dropped by the switch and is not allowed to proceed any further and therefore, this provides a basic level of security as only traffic from the user defined MAC address is allowed on that port.

With this method it is therefore possible to easily implement basic port security against a potential intruder from removing the original device and replacing it with a device designed for network intrusion or from cutting the cable that went to the original device and connecting this cable to their own network intrusion device to gain access to the network.

This level of protection is common amongst most layer 2 managed switches on the market today and indeed all ComNet managed switches support this capability as standard. This feature is referred to by many names including (but not limited to) the following:

  • Port locking.
  • MAC locking.
  • Port security.
  • MAC filtering.

What’s wrong with traditional switch port security?

The issue with the traditional Layer 2 MAC filtering/ locking as previously described is that it can be defeated with relative ease in a matter of minutes by usingTraditional Switch Port Security readily available software which can artificially alter the MAC address of the sender to match whatever the potential intruder wants. In the example below the intruder will alter the MAC address of their laptop to use the same MAC address of the authorised camera and gain access to the network.

How would the intruder know what MAC to spoof?

So how would a potential intruder know the MAC address of the camera (in this example) in order to be able to spoof that address from their laptop and gain network access?

This could be done in several ways but one simple way could be to use a low cost network tap device so the camera is briefly unplugged and then connected to the tap and then quickly re-connected to the network again. The operator would see video loss for some seconds but would unlikely put this down to a potential intruder if it was even noticed at all.

How does port guardian prevent such intrusions?

At the basic level Port Guardian works as a layer 1 protection system so the actual data being sent on the port is not important and the switch does not need to know anything about it. Port Guardian constantly monitors the enabled ports and as soon as it detects that a cable has been unplugged or there is a link down event that port will be immediately disabled and the network administrator notified via an SNMP alert (and optionally by a local contact relay if supported on the particular switch model) to the potential intrusion.

What happens after Port Guardian locks out a port?

Once Port Guardian has been triggered on a certain port then that port is in a permanent lock out condition and will appear to be dead to the potential intruder (no LEDs or anything will work on that port). The port will remain in this lock out condition even if the original legitimate device is re-connected. The lock out state can only be cleared by the network administrator through one of 4 possible methods as outlined below

  • SNMP reset command issued.
  • Reset via Web GUI.Traditional Switch Port Security
  • Port Guardian reset command issued from the local USB serial port CLI.
  • A contact input is closed (only available on models that have contact inputs).

The contact input method is user configurable and is not enabled by default.

What about cycling power to the switch? This is another user configurable option. The port lock out states can be set to clear on a power cycle or they can be set to go into lock out condition in the event of a power cycle (this would be the most secure option).

So how can Port Guardian be used in networks?

There are really two distinct ways to use the Port Guardian feature and the correct implementation depends on how secure the location is where your remote ComNet edge switch (with Port Guardian feature) is located. An outline description and visual example of both scenarios follows.

Edge switch in secure location scenario

I f the ComNet edge field switch is installed within a secure location then there is no concern about an intruder gaining access to the physical switch itself so one could enable Port Guardian just on the ports where he has edge devices connected that are physically located outside of the secure location and not enable Port Guardian on the uplink port(s) which are part of the secure network. In this scenario one could also set the option to have a power cycle clear any locked out ports as again he would not be as concerned with a potential intruder being able to power cycle the switch itself.

Edge switch in unsecured location scenario

I f the ComNet edge field switch is installed within an unsecured location (such as at the base of a camera column etc.) then their would be a concern about an intruder gaining access to the physical switch itself to potentially access the network

There are 2 possible options for system configuration in this case which are as follows:

  1. Enabling Port Guardian on all the ports of the edge switch and setting the power cycle option to force port lock out: This would offer protection on all ports, however, the downside is if there was a power failure the only way to gain access to the switch again would be to send an engineer to the switch itself to reset it via the USB serial port CLI.
  2. Using switches at both sides of the system that have the Port Guardian feature: The switch at the field side would have it enabled only on the ports with edge devices connected while the switch at the head end would have it only enabled on the uplink port that connects to the field edge switch. This offers full protection and allows recovery after a power failure as 1 port will always have access as Port Guardian will not be enabled.

 Tom Exley – Technical Head, ComNet

By Tom Exley – Technical Head, ComNet



Leave a Reply