Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: For or Against: Port Security for Network Access Control - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
For or Against: Port Security for Network Access Control

I had an interesting discussion tonight with fellow handler Manuel on the pros and cons on port security as it relates to Network Access Control.  I thought it would be interesting to see where others in the security field stand on the issue.  Is it worth the effort or not?  Is it a valuable tool in Defense in Depth?  Here are some of the For and Against arguments we discussed:

For Arguments:

  • Stops others from being able to plug into your infrastructure, they would have to search to find a port that has not been configured correctly
  • Can audit logs to determine if empty ports are turned on or off
  • Can alert you more quickly to rogue devices being plugged into your infrastructure
  • Not a perfect solution but should be part of your defense in depth solution, its not meant to be a "stand alone" solution

Against Arguments:

  • If you fake the MAC address to the host, you are in
  • Insider/outsider threat is great since physical security to equipment is not well controlled in many organizations
  • Have to take into account failover scenarios or you can DoS yourself
  • Hard to manage large number of switch ports to ensure they are configured correctly at all times

So, is port security worth the effort or do many of you find its too time consuming and the benefits are not that great?  If you using it and have tips for successful implementation, please share them so others can benefit.  It is Cyber Security Awareness Month and this would be a good opportunity to help educate each other on issues you have encountered with port security or how it has helped protect your organization.

 

Lorna

154 Posts
ISC Handler
The term port security is somewhat ambiguous. It can mean locking the port down to a specific MAC, secured via ACL, or part of the implementation of 802.1x. The latter is the way I would recommend implementing port security as it mitigates most of the cons and is conducive to formal implementations of NAC. With 802.1x you would have a minimal role for the hardware, PC lets say, and a more liberal role for the user depending on their position. You can implement MAC authentication defining a role for the PC that only allows port 80/443.If the MAC is spoofed you could only access those ports. Greater access is provided to the user role and would apply wherever they log in. This is simply put to keep this short. That's my brief!
Anonymous

Posts
If you fake the MAC, you still need the certificate.. at least if NAC in your books means something worthwile like 802.1x authentication.
If you're in a situation where you're facing "a large number of switch ports", you should also have the budget for centralized management solutions like Cisco Works or similar, which allow for automated baseline configuration audits.
Visi

40 Posts Posts
It all depends on the type of network that you are supporting, however I am not against port-security by any stretch of the imagination. You are definitely correct in saying that it should be part of your Defense in Depth solution. I prefer to enable port security because your insider threat is the greatest threat to any organization. In my professional experience, I have caught several contractors (electricians, cable contractors) attempting to connect to our switches while performing their work, this occurred even with our IDF's located 15 ft high on a wall in a warehouse environment. My preferred setup from just a network switch perspective is to place unused ports in a non-routed vlan to eliminate the mis-configurations of port-security. This also reduces the management difficulty when a new computer is connected, just hook up a link-runner and identify the port versus trusting the wall jack label to be correct.

In my prior job in the military, port-security helped identify and track down rogue pc's andnetwork devices not authorized to be on the network. This provides undeniable proof, via mac address, that a pc was connected or attempted to connect to that port. This helps greatly when users try to bring their personal pc's into the office thinking that they can just connect to the network. Many computers and networks are compromised by users unknowingly opening a back door, such as an infected PC connecting to a trusted network.

While port-security does have it's complexities and management overhead, there is definitely the need for it. Security/Network Engineers get paid to be safe and protect the network, not to make their job easier.

Ken
ken

1 Posts Posts
I have run networks configured with "port security" as a sort of "poor man's NAC." It's a bit of a pain, and you really have to coordinate all the aspects to make it work and get any real value out of it. But it definitely does give you awareness of what's plugged in, what ports are in use, and when someone monkeys with one.
packetdude

22 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!